INCREASING SEARCH ABILITY OF PRIVATE, ENCRYPTED DATA

US 20160232362A1
Filed: 02/11/2016
Published: 08/11/2016
Est. Priority Date: 02/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method for searching a database to obtain data, comprising:

receiving, by a computer database system, a search string;

searching a first table of the computer database system using the search string to identify a matching string, wherein the first table includes an encrypted foreign key for each field;

obtaining at least one encrypted foreign key corresponding to the matching string identified using the search string;

sending the at least one encrypted foreign key to a decryption engine executing on one or more processors of the computer database system;

receiving from the decryption engine, at least one decrypted foreign key corresponding to the at least one encrypted foreign key;

searching a second table of the computer database system using the at least one decrypted foreign key to obtain encrypted data;

sending the encrypted data to the decryption engine to decrypt the encrypted data; and

receiving, from the decryption engine, decrypted data resulting from decryption of the encrypted data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided to allow full search for encrypted data within a database. In some embodiments, searchable data may be separated into different searchable tables in a database in such a way that encrypted data is stored as plaintext but has no usable link to other data within the source database. In some embodiments, performing a query on a particular user data may result in the retrieval of an encrypted identifier, which may then be decrypted via an encryption module. A second search based on the decrypted identifier may produce a set of relevant search results from a source table.

50 Citations

View as Search Results

20 Claims

1. A method for searching a database to obtain data, comprising:
- receiving, by a computer database system, a search string;
  
  searching a first table of the computer database system using the search string to identify a matching string, wherein the first table includes an encrypted foreign key for each field;
  
  obtaining at least one encrypted foreign key corresponding to the matching string identified using the search string;
  
  sending the at least one encrypted foreign key to a decryption engine executing on one or more processors of the computer database system;
  
  receiving from the decryption engine, at least one decrypted foreign key corresponding to the at least one encrypted foreign key;
  
  searching a second table of the computer database system using the at least one decrypted foreign key to obtain encrypted data;
  
  sending the encrypted data to the decryption engine to decrypt the encrypted data; and
  
  receiving, from the decryption engine, decrypted data resulting from decryption of the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the decryption engine is a hardware security module (HSM).
  - 3. The method of claim 1, wherein the search string is received via a request for the encrypted data and includes a wildcard.
  - 4. The method of claim 1, further comprising:
    - searching the second table of the computer database system using the foreign key to obtain plaintext data;
      
      appending the obtained plaintext data to the decrypted data; and
      
      returning the appended decrypted data to a requestor device from which the search string was received.
  - 5. The method of claim 1, further comprising:
    - receiving a request to update the decrypted data with new data;
      
      sending the new data to an encryption engine;
      
      receiving, from the encryption engine, an encrypted new data; and
      
      replacing the encrypted data with the encrypted new data.
  - 6. The method of claim 1, further comprising:
    - searching at least one second table of the computer database system using at least one second search string to identify at least one second matching string, wherein the second table includes a second encrypted foreign key for each field;
      
      obtaining at least one second encrypted foreign key corresponding to the second matching string identified using the second search string;
      
      sending the at least one second encrypted foreign key to the decryption engine; and
      
      receiving, from the decryption engine, at least one second decrypted foreign key corresponding to the at least one second encrypted foreign key, wherein searching a second table of the computer database system comprises identifying encrypted data for which the at least one decrypted foreign key matches the at least one second decrypted foreign key.
  - 7. The method of claim 1, wherein the first table of the computer database system comprises a first column of encrypted foreign keys and a second column of plaintext data, wherein searching the first table of the computer database system using the search string to identify the matching string comprises searching the column of plaintext data for one or more values that match the search string, and wherein the at least one encrypted foreign includes an encrypted foreign key for each of the one or more values that match the search string.

8. A system comprising:
- one or more processors anda memory including instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  receive a query that includes an indication of at least one search column of a source table and a search string;
  
  identify at least one searchable table based on the at least one search column;
  
  identify a set of encrypted identifiers in the at least one searchable table associated with the search string, each of the set of encrypted identifiers being associated with a value in the searchable table that matches the search string;
  
  generate a set of decrypted identifiers from the set of encrypted identifiers;
  
  identify a set of encrypted source data in the source table based at least in part on the set of decrypted identifiers; and
  
  generate a decrypted set of source data by decrypting each of the encrypted source data in the set of encrypted source data; and
  
  return the decrypted set of source data.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the at least one searchable table is identified from a plurality of searchable tables based on the at least one search column indicated in the query, and wherein each searchable table of the plurality of searchable tables is associated with a different search column.
  - 10. The system of claim 8, wherein the set of encrypted identifiers is decrypted using a decryption key associated with the at least one searchable table
  - 11. The system of claim 8, wherein the query is included in an update request that includes new data, and wherein the instructions further cause the one or more processors to:
    - update the decrypted set of source data to include the new data;
      
      encrypt the updated set of source data; and
      
      replace the set of encrypted source data with the encrypted updated set of source data in the source table.
  - 12. The system of claim 11, wherein the instructions further cause the one or more processors to update the one or more searchable tables to reflect the encrypted updated set of source data.
  - 13. The system of claim 8, wherein the query includes an indication of at least one requested column of the source table, and wherein the set of encrypted source data includes one or more values from the at least one requested column.

14. A method of retrieving data comprising:
- receiving a search string related to a database column, the database column having encrypted data;
  
  identifying at least one searchable table relevant to the search string based on the database column, the at least one searchable table including a column of plaintext data corresponding to the encrypted data;
  
  identifying, in the at least one searchable table, at least one row relevant to the search string;
  
  determining, from the identified at least one row, at least one identifier;
  
  identifying, in a source table, at least one row relevant to the at least one identifier; and
  
  retrieving a field value from the at least one row in the source table.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the search string is included in an update request, the update request including a new data to be written to the field value from the at least one row, and the method further comprises:
    - encrypting the new data;
      
      update the field value to the encrypted new data in the source table; and
      
      publish the updated field value to the at least one searchable table.
  - 16. The method of claim 14, wherein the encrypted data is decrypted to determine information related to the search string.
  - 17. The method of claim 14, wherein the source table comprises a column of plaintext identifiers and multiple columns of encrypted data.
  - 18. The method of claim 17, wherein the at least one searchable table comprises a column of encrypted identifiers corresponding to the column of plaintext identifiers and a column of plaintext data.
  - 19. The method of claim 18, wherein the at least one row relevant to the search string is a row containing the search string in the column of plaintext data.
  - 20. The method of claim 14, wherein the at least one searchable table relevant to the search string is identified based on a column to which the search string is related.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Conway, Adam

Granted Patent

US 10,114,955 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2455   Query execution

G06F 16/2458   Special types of queries, e...

G06F 16/2468   Fuzzy queries

G06F 16/90   Details of database functio...

G06F 21/602   Providing cryptographic fac...

G06F 21/6227   where protection concerns t...

INCREASING SEARCH ABILITY OF PRIVATE, ENCRYPTED DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INCREASING SEARCH ABILITY OF PRIVATE, ENCRYPTED DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links