Token exchange
First Claim
Patent Images
1. A non-transitory computer-readable storage medium having computer-executable components stored thereon that when executed by a processor cause the processor to perform steps comprising:
- associating a value with a token such that the token can be used to uniquely identify the value;
encrypting the token to form a first encrypted token using a key associated with only a first client such that the first client cannot decrypt the first encrypted token;
sending the first encrypted token to the first client;
receiving the first encrypted token and an identification of the first client from a second client;
retrieving the key associated with only the first client based on the identification of the first client and using the retrieved key to decrypt the received first encrypted token into a decrypted token, the decrypted token being the same as the token;
encrypting the decrypted token to form a second encrypted token using a key associated with only the second client such that the second client cannot decrypt the second encrypted token and such that the second encrypted token is different from the first encrypted token; and
returning the second encrypted token to the second client.
1 Assignment
0 Petitions
Accused Products
Abstract
A value is associated with a token within a trust zone. The token is used in place of the value in operations executed within the trust zone. A key is defined for an entity outside of the trust zone. A processor encrypts the token using the key to form an encrypted token that cannot be decrypted by entities outside of the trust zone. The encrypted token is provided to the entity outside of the trust zone.
125 Citations
16 Claims
-
1. A non-transitory computer-readable storage medium having computer-executable components stored thereon that when executed by a processor cause the processor to perform steps comprising:
-
associating a value with a token such that the token can be used to uniquely identify the value; encrypting the token to form a first encrypted token using a key associated with only a first client such that the first client cannot decrypt the first encrypted token; sending the first encrypted token to the first client; receiving the first encrypted token and an identification of the first client from a second client; retrieving the key associated with only the first client based on the identification of the first client and using the retrieved key to decrypt the received first encrypted token into a decrypted token, the decrypted token being the same as the token; encrypting the decrypted token to form a second encrypted token using a key associated with only the second client such that the second client cannot decrypt the second encrypted token and such that the second encrypted token is different from the first encrypted token; and returning the second encrypted token to the second client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
associating a value with a token within a trust zone; using the token in place of the value in operations executed within the trust zone; defining a key for an entity outside of the trust zone; a processor encrypting the token using the key to form an encrypted token that cannot be decrypted by entities outside of the trust zone; providing the encrypted token to the entity outside of the trust zone; defining a second key for a second entity outside of the trust zone; encrypting the token using the second key to form a second encrypted token that cannot be decrypted by entities outside of the trust zone; providing the second encrypted token to the second entity outside of the trust zone; receiving a request for the encrypted token from the second entity together with the second encrypted token; decrypting the second encrypted token using the second key to form a decrypted token; encrypting the decrypted token using the key to form the encrypted token; and providing the encrypted token to the second entity outside of the trust zone. - View Dependent Claims (10)
-
-
11. A method comprising:
-
a processor receiving a first encrypted token from a first entity, wherein the first entity and the processor are unable to decrypt the first encrypted token, and wherein the first encrypted token identifies sensitive data stored within a trust zone; the processor submitting the first encrypted token and the identity of the first entity to the trust zone with a request for a second encrypted token that identifies the sensitive data stored within the trust zone; a token exchange retrieving a token encryption key that is unique to the first entity but is unknown to the first entity, decrypting the first encrypted token using the token encryption key to retrieve a token, and encrypting the token with a second token encryption key that is unique to the second entity but is unknown to the second entity to form the second encrypted token; the processor receiving the second encrypted token from the trust zone wherein the processor is unable to decrypt the second encrypted token; and the processor providing the second encrypted token to the first entity, wherein the first entity is unable to decrypt the second encrypted token. - View Dependent Claims (12)
-
-
13. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that when executed by a processor cause the processor to perform steps comprising:
-
retrieving a first encrypted token from a non-volatile memory where it is used in place of sensitive data, wherein the first encrypted token can only be decrypted by a first entity; submitting the first encrypted token and an identity of a second entity to the first entity with a request for a second encrypted token that corresponds to the first encrypted token and can be used in place of the sensitive data, wherein the first encrypted token has been stored in a non-volatile memory in the second entity and can only be decrypted by the first entity; the second entity receiving the second encrypted token from the first entity; and sending a message that includes the second encrypted token to the second entity. - View Dependent Claims (14, 15)
-
-
16. A method for providing an encrypted token to an external entity implemented on a computing device, the method comprising:
-
the external entity placing sensitive data in a request for the encrypted token; the external entity encrypting the request and sending the request to a token owner application/service; the token owner application/service decrypting the request and accessing a token exchange to process the request; the token exchange extracting the sensitive data and obtaining a token for the sensitive data; retrieving a token encryption key from the token exchange, wherein the token encryption key is unique to the external entity but is unknown to the external entity; the token exchange encrypting the token with the token encryption key and placing the encrypted token in a return message; the token owner application/service encrypting the return message using a public key of the external entity and sending the encrypted return message to the external entity; and the external entity decrypting the return message and storing the encrypted token in a secure database.
-
Specification