Format-preserving cryptographic systems
First Claim
1. A method for performing encryption at computing equipment, comprising:
- with an encryption engine on computing equipment, obtaining an encoded binary value representing an unencrypted string in a given format, wherein obtaining the encoded binary value comprises;
obtaining the unencrypted string in the given format; and
encoding the unencrypted string to produce the encoded binary value;
with the encryption engine on the computing equipment, applying a block cipher to the encoded binary value to produce a block cipher output;
after each application of the block cipher, with the encryption engine on the computing equipment, determining whether the block cipher output is representative of a string in the given format;
whenever it is determined that the block cipher output is not representative of a string in the given format, with the encryption engine on the computing equipment, applying the block cipher an additional time to update the block cipher output; and
when it is determined that the block cipher output is representative of a string in the given format, with the encryption engine on the computing equipment, processing the block cipher output to produce an encrypted version of the unencrypted string.
12 Assignments
0 Petitions
Accused Products
Abstract
Format-preserving encryption and decryption processes are provided. The encryption and decryption processes may use a block cipher. A string that is to be encrypted or decrypted may be converted to a unique binary value. The block cipher may operate on the binary value. If the output of the block cipher that is produced is not representative of a string that is in the same format as the original string, the block cipher may be applied again. The block cipher may be repeatedly applied in this way during format-preserving encryption operations and during format-preserving decryption operations until a format-compliant output is produced. Selective access may be provided to portions of a string that have been encrypted using format-preserving encryption.
38 Citations
16 Claims
-
1. A method for performing encryption at computing equipment, comprising:
-
with an encryption engine on computing equipment, obtaining an encoded binary value representing an unencrypted string in a given format, wherein obtaining the encoded binary value comprises; obtaining the unencrypted string in the given format; and encoding the unencrypted string to produce the encoded binary value; with the encryption engine on the computing equipment, applying a block cipher to the encoded binary value to produce a block cipher output; after each application of the block cipher, with the encryption engine on the computing equipment, determining whether the block cipher output is representative of a string in the given format; whenever it is determined that the block cipher output is not representative of a string in the given format, with the encryption engine on the computing equipment, applying the block cipher an additional time to update the block cipher output; and when it is determined that the block cipher output is representative of a string in the given format, with the encryption engine on the computing equipment, processing the block cipher output to produce an encrypted version of the unencrypted string. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for performing encryption at computing equipment, comprising:
-
with an encryption engine on computing equipment, obtaining an encoded binary value representing an unencrypted string in a given format; with the encryption engine on the computing equipment, applying a block cipher to the encoded binary value to produce a block cipher output; after each application of the block cipher, with the encryption engine on the computing equipment, determining whether the block cipher output is representative of a string in the given format; whenever it is determined that the block cipher output is not representative of a string in the given format, with the encryption engine on the computing equipment, applying the block cipher an additional time to update the block cipher output; and when it is determined that the block cipher output is representative of a string in the given format, with the encryption engine on the computing equipment, processing the block cipher output to produce an encrypted version of the unencrypted string, wherein processing the block cipher output comprises restoring removed string elements to the encrypted version of the unencrypted string.
-
-
7. A method for performing decryption at computing equipment, comprising:
-
with a decryption engine on computing equipment, obtaining an encoded binary value representing an encrypted string in a given format, wherein obtaining the encoded binary value comprises; obtaining the encrypted string in the given format; and encoding the encrypted string to produce the encoded binary value; with the decryption engine on the computing equipment, applying a block cipher to the encoded binary value to produce a block cipher output; after each application of the block cipher, with the decryption engine on the computing equipment, determining whether the block cipher output is representative of a string in the given format; whenever it is determined that the block cipher output is not representative of a string in the given format, with the decryption engine on the computing equipment, applying the block cipher an additional time to update the block cipher output; and when it is determined that the block cipher output is representative of a string in the given format, with the decryption engine on the computing equipment, processing the block cipher output to produce a decrypted version of the encrypted string. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A method for performing decryption at computing equipment, comprising:
-
with a decryption engine on computing equipment, obtaining an encoded binary value representing an encrypted string in a given format; with the decryption engine on the computing equipment, applying a block cipher to the encoded binary value to produce a block cipher output; after each application of the block cipher, with the decryption engine on the computing equipment, determining whether the block cipher output is representative of a string in the given format; whenever it is determined that the block cipher output is not representative of a string in the given format, with the decryption engine on the computing equipment, applying the block cipher an additional time to update the block cipher output; and when it is determined that the block cipher output is representative of a string in the given format, with the decryption engine on the computing equipment, processing the block cipher output to produce a decrypted version of the encrypted string, wherein processing the block cipher output comprises restoring removed string elements to the decrypted version of the encrypted string.
-
-
13. A method for using at least first and second cryptographic keys to provide at least first and second users with selective access to the contents of a string, comprising:
-
with format-preserving encryption at an encryption engine on computing equipment, encrypting a first plaintext part of the string using the first cryptographic key to produce first ciphertext that is in the same format as the first plaintext part while leaving a second plaintext part of the string unencrypted; with format-preserving encryption at the encryption engine on the computing equipment following encryption of the first plaintext part of the string, encrypting both the second plaintext part of the string and the first ciphertext using the second cryptographic key to produce second ciphertext, wherein the second ciphertext is in the same format as the string; providing the first and second keys to the first user; and providing the second key to the second user without providing the first key to the second user. - View Dependent Claims (14, 15, 16)
-
Specification