System and method of sort-order preserving tokenization

US 8,739,265 B2
Filed: 04/19/2012
Issued: 05/27/2014
Est. Priority Date: 04/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method of obfuscating data in a data object, comprising:

receiving, by an intercepting proxy server computer, the data object from a client device;

at the intercepting proxy server computer, generating a modified data object for transmission to a server computer in a cloud, comprising;

(i) identifying a real data element in the data object;

(ii) creating a token having a token value;

(iii) generating a sort-order preserving prefix based on the real data element;

(iv) concatenating the sort-order preserving prefix and the token value to generate a replacement value; and

(v) replacing the real data element with the replacement value, thus generating the modified data object;

further comprising;

receiving a returned data object, comprising a returned data element, from the server computer in the cloud;

identifying the returned data element as a token-to-be-replaced;

replacing the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and

transmitting the modified returned data object to the client device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intercepting proxy server processes traffic between an enterprise user and a cloud application. The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding real data elements. In order for the sort order of the tokens to correspond to the sort order of the corresponding real data elements, a sort order preserving data compression is performed on parts of the real data elements, and the compressed values concatenated with the obfuscated tokens, thus producing sortable tokens which, even though they are obfuscated, appear in the correct sort order in the cloud application.

Citations

43 Claims

1. A method of obfuscating data in a data object, comprising:
- receiving, by an intercepting proxy server computer, the data object from a client device;
  
  at the intercepting proxy server computer, generating a modified data object for transmission to a server computer in a cloud, comprising;
  
  (i) identifying a real data element in the data object;
  
  (ii) creating a token having a token value;
  
  (iii) generating a sort-order preserving prefix based on the real data element;
  
  (iv) concatenating the sort-order preserving prefix and the token value to generate a replacement value; and
  
  (v) replacing the real data element with the replacement value, thus generating the modified data object;
  
  further comprising;
  
  receiving a returned data object, comprising a returned data element, from the server computer in the cloud;
  
  identifying the returned data element as a token-to-be-replaced;
  
  replacing the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
  
  transmitting the modified returned data object to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising transmitting the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 3. The method of claim 1, wherein the step (ii) of creating further comprises generating the token value as a random value.
  - 4. The method of claim 1, wherein the step (ii) of creating further comprises generating the token value by encrypting the real data element.
  - 5. The method of claim 1, wherein the step (iii) of generating further comprises compressing a front portion of the real data element using a sort-order preserving compression method.
  - 6. The method of claim 5, wherein the front portion comprises a first character of the real data element.
  - 7. The method of claim 6, wherein the front portion further comprises additional characters following the first character.
  - 8. The method of claim 1, the step (iv) of concatenating further comprises adding a predetermined suffix to the replacement value.
  - 9. The method of claim 1, the step (i) of identifying the real data element further comprises:
    - mapping the data in the data object against a dictionary of attributes; and
      
      identifying the real data element using a corresponding attribute in the dictionary.
  - 10. The method of claim 1, wherein the identifying the token-to-be-replaced further comprises:
    - mapping data in the returned data object against a dictionary of attributes; and
      
      identifying the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 11. The method of claim 1, wherein the replacing the token-to-be-replaced further comprises:
    - extracting the token value from the token-to-be-replaced; and
      
      determining the real data element, comprising indexing a look up table with the token value.
  - 12. The method of claim 1, wherein the replacing the token-to-be-replaced further comprises:
    - extracting the token value from the token-to-be-replaced; and
      
      generating the real data element, comprising decrypting the token value.
  - 13. The method of claim 1, wherein the replacing the token-to-be-replaced further comprises formatting the real data element according to a context in the returned data object.

14. An intercepting proxy server computer, comprising:
- a processor;
  
  a memory having computer readable instructions stored thereon for execution by the processor, causing the processor to obfuscate data in a data object, comprising;
  
  receiving a data object from a client device;
  
  generating a modified data object for transmission to a server computer in a cloud, comprising;
  
  (i) identifying a real data element in the data object;
  
  (ii) creating a token having a token value;
  
  (iii) generating a sort-order preserving prefix based on the real data element;
  
  (iv) concatenating the sort-order preserving prefix and the token value to generate a replacement value; and
  
  (v) replacing the real data element with the replacement value, thus generating the modified data object;
  
  further comprising computer readable instructions stored in the memory for execution by the processor, causing the processor to;
  
  receive a returned data object, comprising a returned date element, from the server computer in the cloud;
  
  identify the returned data element as a token-to-be-replaced;
  
  replace the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
  
  transmit the modified returned data object to the client device.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 15. The intercepting proxy server computer of claim 14, further comprising computer readable instructions stored in the memory for execution by the processor, causing the processor to transmit the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 16. The intercepting proxy server computer of claim 14, wherein the computer readable instructions of creating further cause the processor to generate the token value as a random value.
  - 17. The intercepting proxy server computer of claim 14, wherein the computer readable instructions of creating are configured to generate the token value by encrypting the real data element.
  - 18. The intercepting proxy server computer of claim 14, wherein the computer readable instructions of generating further cause the processor to compress a front portion of the real data element using a sort-order preserving compression method.
  - 19. The intercepting proxy server computer of claim 18, wherein the front portion comprises a first character of the real data element.
  - 20. The intercepting proxy server computer of claim 19, wherein the front portion further comprises additional characters following the first character.
  - 21. The intercepting proxy server computer of claim 14, wherein the computer readable instructions of concatenating further cause the processor to add a predetermined suffix to the replacement value.
  - 22. The intercepting proxy server computer of claim 14, wherein the computer readable instructions of identifying the real data element further cause the processor to:
    - map the data in the data object against a dictionary of attributes; and
      
      identify the real data element using a corresponding attribute in the dictionary.
  - 23. The intercepting proxy server computer of claim 14, wherein the computer readable instructions further cause the processor to:
    - map data in the returned data object against a dictionary of attributes; and
      
      identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 24. The intercepting proxy server computer of claim 14, wherein the computer readable instructions of replacing the token-to-be-replaced further cause the processor to:
    - extract the token value from the token-to-be-replaced; and
      
      determine the real data element, comprising indexing a look up table with the token value.
  - 25. The intercepting proxy server computer of claim 14, wherein the computer readable instructions of replacing the token-to-be-replaced further cause the processor to:
    - extract the token value from the token-to-be-replaced; and
      
      generate the real data element, comprising decrypting the token value.
  - 26. The intercepting proxy server computer of claim 14, wherein the computer readable instructions of replacing the token-to-be-replaced further cause the processor to format the real data element according to a context in the returned data object.
  - 27. A computer network comprising the intercepting proxy server computer of claim 14.

28. An intercepting proxy server computer, comprising:
- a processor comprising a network input/output (IO) system configured to receive a data object from a client device;
  
  a memory having computer readable instructions stored thereon for execution by the processor, forming;
  
  a tooling module configured to identify a real data element in the data object;
  
  a token generator module configured to create a token having a token value;
  
  a compression module configured to generate a sort-order preserving prefix based on the real data element; and
  
  a token packaging module configured to concatenate the sort-order preserving prefix and the token value to generate a replacement value and to replace the real data element with the replacement value, thus generating the modified data object;
  
  wherein;
  
  the network input/output (IO) system is further configured to receive a returned data object, comprising a returned data element, from the server computer in the cloud;
  
  the tooling module is further configured to identify the returned data element as a token-to-be-replaced;
  
  the intercepting proxy server computer further comprising a context formatting module configured to replace the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
  
  the network input/output (IO) system is further configured to transmit the modified returned data object to the client device.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 29. The intercepting proxy server computer of claim 28, wherein the network input/output (IO) system is further configured to transmit the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 30. The intercepting proxy server computer of claim 28, wherein the token generator module comprises a random token generator configured to generate the token value as a random value.
  - 31. The intercepting proxy server computer of claim 28, wherein the token generator module comprises an encryption module configured to generate the token value by encrypting the real data element.
  - 32. The intercepting proxy server computer of claim 28, wherein the compression module is further configured to compress a front portion of the real data element using a sort-order preserving compression method.
  - 33. The intercepting proxy server computer of claim 32, wherein the front portion comprises a first character of the real data element.
  - 34. The intercepting proxy server computer of claim 33, wherein the front portion further comprises additional characters following the first character.
  - 35. The intercepting proxy server computer of claim 28, wherein the token packaging module is further configured to add a predetermined suffix to the replacement value.
  - 36. The intercepting proxy server computer of claim 28, wherein the tooling module is further configured to map the data in the data object against a dictionary of attributes and identify the real data element using a corresponding attribute in the dictionary.
  - 37. The intercepting proxy server computer of claim 28, wherein the tooling module is further configured to map data in the returned data object against a dictionary of attributes and identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 38. The intercepting proxy server computer of claim 28, wherein the computer readable instructions are further configured to form a look up table indexed with the token value from the token-to-be-replaced, thereby determining the real data element.
  - 39. The intercepting proxy server computer of claim 28, further comprising a decryption module configured to extract the token value from the token-to-be-replaced and to generate the real data element by decrypting the token value.
  - 40. The intercepting proxy server computer of claim 28, further comprising a context formatting module configured to format the real data element according to a context in the returned data object.
  - 41. A computer network comprising the intercepting proxy server computer of claim 28.

42. A method of obfuscating data in a data object to generate a modified data object for use in a cloud application, comprising:
- (i) identifying a real data element in the data object;
  
  (ii) creating a token having a token value;
  
  (iii) generating a sort-order preserving prefix based on the real data element;
  
  (iv) generating a sort-order preserving prefix from a predetermined portion of the real data element;
  
  (v) concatenating the sort-order preserving prefix and the token value to generate a replacement value;
  
  (vi) replacing the real data element with the replacement value, thus generating the modified data object; and
  
  (vii) storing the real data element in a look up table indexed with the token value;
  
  further comprising;
  
  obtaining a second modified data object comprising the replacement value;
  
  identifying the replacement value as having the token value;
  
  retrieving the real data element from the look up table by indexing with the token value;
  
  replacing the token-to-be-replaced with the real data element, thereby restoring the real data element in the second modified data object.
- View Dependent Claims (43)
- - 43. The method of claim 42, wherein the token value is a random value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Perspecsys, Inc. (Gen Digital Inc.)
Inventors
Woelfel, John Harold, Woloszyn, Terrence Peter, Ang, George Weilun
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US13/450,809
Publication Number

US 20120278897A1
Time in Patent Office

768 Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/602   Providing cryptographic fac...

G09C 1/00   Apparatus or methods whereb...

H04L 61/2596   Translation of addresses of...

H04L 61/301   Name conversion

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

System and method of sort-order preserving tokenization

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of sort-order preserving tokenization

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links