Tokenization of multiple-field records
First Claim
Patent Images
1. A computer-implemented method of controlling access to a complex datum which includes a set of data groups having data stored on a set of external storage media, the method comprising:
- receiving, by a server from a client computer over a network, a user token representing a user at the client computer;
mapping, by the server, the user token to a set of data group tokens, each data group token in the set of data group tokens corresponding to a data group in the set of data groups and defining a level of access the user has to that respective data group, each data group in the set of data groups containing data which is stored on an external storage medium from the set of external storage media; and
sending, by the server, the set of data group tokens to the client computer over the network;
wherein the server includes a non-volatile memory in which a database is stored;
wherein the database includes a lookup table containing a set of user tokens and a set of index values, each index value from the set of index values corresponding to a user token in the set of user tokens;
wherein mapping the user token to a set of data group tokens includes;
locating the user token in the lookup table,finding the corresponding index value from the lookup table, andobtaining the set of data group tokens from the corresponding index value;
wherein the index value corresponding to the user token represents a data partitioning scheme;
wherein obtaining the set of data group tokens includes partitioning the user token according to the data partitioning scheme represented by the corresponding index value;
wherein each data group token includes a set of data group token bits;
wherein the method further comprises;
sending, before the receiving of the user token, a hash function to the client computer,for each data group token, generating a set of message authentication code (MAC) bits from an operation of the hash function on the data group token bits of that data group token, andfor each data group token, combining the set of MAC bits with the data group token bits of that data group token; and
wherein an application, at the client computer, of the hash function to a data group token of the set of data group tokens producing the set of MAC bits generated for the data group token implies that the data group token is valid.
9 Assignments
0 Petitions
Accused Products
Abstract
An improved technique for granting access to a complex datum maps a single user token representing a user onto a set of data group tokens, each data group token providing access to a data group stored on a storage medium. The improved technique combines the centralization of the complex datum while providing the security of tokenization and will lower the risk of a rogue third party gaining unauthorized access to the user'"'"'s records stored across the data groups.
13 Citations
17 Claims
-
1. A computer-implemented method of controlling access to a complex datum which includes a set of data groups having data stored on a set of external storage media, the method comprising:
-
receiving, by a server from a client computer over a network, a user token representing a user at the client computer; mapping, by the server, the user token to a set of data group tokens, each data group token in the set of data group tokens corresponding to a data group in the set of data groups and defining a level of access the user has to that respective data group, each data group in the set of data groups containing data which is stored on an external storage medium from the set of external storage media; and sending, by the server, the set of data group tokens to the client computer over the network; wherein the server includes a non-volatile memory in which a database is stored; wherein the database includes a lookup table containing a set of user tokens and a set of index values, each index value from the set of index values corresponding to a user token in the set of user tokens; wherein mapping the user token to a set of data group tokens includes; locating the user token in the lookup table, finding the corresponding index value from the lookup table, and obtaining the set of data group tokens from the corresponding index value; wherein the index value corresponding to the user token represents a data partitioning scheme; wherein obtaining the set of data group tokens includes partitioning the user token according to the data partitioning scheme represented by the corresponding index value; wherein each data group token includes a set of data group token bits; wherein the method further comprises; sending, before the receiving of the user token, a hash function to the client computer, for each data group token, generating a set of message authentication code (MAC) bits from an operation of the hash function on the data group token bits of that data group token, and for each data group token, combining the set of MAC bits with the data group token bits of that data group token; and wherein an application, at the client computer, of the hash function to a data group token of the set of data group tokens producing the set of MAC bits generated for the data group token implies that the data group token is valid. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system configured to control access to a complex datum which includes a set of data groups having data stored on a set of external storage media, the system comprising:
-
a network interface coupled to a network; a memory; and a processor coupled to the memory, the processor configured to; receive, from a client computer over the network, a user token uniquely corresponding to and suppressing the identity of a user at the client computer; map the user token to a set of data group tokens, each data group token in the set of data group tokens corresponding to a data group in the set of data groups and defining a level of access the user has to that respective data group, each data group in the set of data groups containing data which is stored on an external storage medium from the set of external storage media; and send the set of data group tokens to the client computer over the network; wherein a database is stored in the memory, the database including a lookup table containing a set of user tokens and a set of index values, each index value from the set of index values corresponding to a user token in the set of user tokens; wherein mapping the user token to a set of data group tokens includes; locating the user token in the lookup table, finding the corresponding index value from the lookup table, and obtaining the set of data group tokens from the corresponding index value; wherein the index value corresponding to the user token represents a data partitioning scheme; wherein obtaining the set of data group tokens includes partitioning the user token according to the data partitioning scheme represented by the corresponding index value; wherein each data group token includes a set of data group token bits; wherein the processor is further configured to; send, before the receiving of the user token, a hash function to the client computer, for each data group token, generate a set of message authentication code (MAC) bits from an operation of the hash function on the data group token bits of that data group token, and for each data group token, combine the set of MAC bits with the data group token bits of that data group token; and wherein an application, at the client computer, of the hash function to a data group token of the set of data group tokens producing the set of MAC bits generated for the data group token implies that the data group token is valid. - View Dependent Claims (12, 13, 14)
-
-
15. A computer program product having a non-transitory computer readable storage medium which stores code to control access to a complex datum which includes a set of data groups having data stored on a set of external storage media, the code including a set of instructions to:
-
receive, from a client computer over the network, a user token uniquely corresponding to and suppressing the identity of a user at the client computer; map the user token to a set of data group tokens, each data group token in the set of data group tokens corresponding to a data group in the set of data groups and defining a level of access the user has to that respective data group, each data group in the set of data groups containing data which is stored on an external storage medium from the set of external storage media; and send the set of data group tokens to the client computer over the network; wherein a database is stored in the memory, the database including a lookup table containing a set of user tokens and a set of index values, each index value from the set of index values corresponding to a user token in the set of user tokens; and wherein mapping the user token to a set of data group tokens includes; locating the user token in the lookup table, finding the corresponding index value from the lookup table, and obtaining the set of data group tokens from the corresponding index value; wherein the index value corresponding to the user token represents a data partitioning scheme; wherein obtaining the set of data group tokens includes partitioning the user token according to the data partitioning scheme represented by the corresponding index value; wherein each data group token includes a set of data group token bits; wherein the code includes further instructions to; send, before the receiving of the user token, a hash function to the client computer, for each data group token, generate a set of message authentication code (MAC) bits from an operation of the hash function on the data group token bits of that data group token, and for each data group token, combine the set of MAC bits with the data group token bits of that data group token; and wherein an application, at the client computer, of the hash function to a data group token of the set of data group tokens producing the set of MAC bits generated for the data group token implies that the data group token is valid. - View Dependent Claims (16, 17)
-
Specification