Systems for structured encryption using embedded information in data strings

US 8,949,625 B2
Filed: 01/30/2012
Issued: 02/03/2015
Est. Priority Date: 01/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method for encrypting data entries in a data file using an encryption engine in a data processing system, comprising:

with processing circuitry in the data processing system, encrypting a first data entry in the data file using an encryption key; and

with the processing circuitry, embedding information associated with the encryption key that was used to encrypt the first data entry in a second data entry in the data file, wherein embedding the information associated with the encryption key comprises;

compressing the second data entry;

combining the information associated with the encryption key that was used to encrypt the first data entry and the compressed second data entry to form an augmented data entry that includes the information associated with the encryption key and the compressed second data entry;

encrypting the augmented data entry using an additional encryption key; and

combining additional information associated with the additional encryption key with the encrypted augmented data entry.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system is provided that includes applications, databases, encryption engines, and decryption engines. Encryption and decryption engines may be used to perform format-preserving encryption on data strings stored in a database. Encryption and decryption engines may include embedded-format-preserving encryption and decryption engines. Embedded-format-preserving encryption engines may be used to encrypt data strings and embed information in data strings. Information corresponding to a format-preserving encryption operation of a data string may be embedded in an associated data string. The associated data string may be encrypted before or after embedding the information in the associated data string. The embedded information may include key management data that corresponds to a managed encryption key that was used to encrypt the data string.

26 Citations

View as Search Results

23 Claims

1. A method for encrypting data entries in a data file using an encryption engine in a data processing system, comprising:
- with processing circuitry in the data processing system, encrypting a first data entry in the data file using an encryption key; and
  
  with the processing circuitry, embedding information associated with the encryption key that was used to encrypt the first data entry in a second data entry in the data file, wherein embedding the information associated with the encryption key comprises;
  
  compressing the second data entry;
  
  combining the information associated with the encryption key that was used to encrypt the first data entry and the compressed second data entry to form an augmented data entry that includes the information associated with the encryption key and the compressed second data entry;
  
  encrypting the augmented data entry using an additional encryption key; and
  
  combining additional information associated with the additional encryption key with the encrypted augmented data entry.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method defined in claim 1 wherein the data file comprises a plurality of portions, wherein each portion includes a plurality of associated fields, and wherein the first data entry and second data entry are located in respective fields of a common one of the portions.
  - 3. The method defined in claim 2, wherein combining the additional information associated with the additional encryption key that was used to encrypt the augmented data entry comprises encoding a portion of the encrypted augmented data entry to include the additional information associated with the additional encryption key that was used to encrypt the augmented data.
  - 4. The method defined in claim 2 wherein encrypting the first data entry using the encryption key comprises encrypting the first data entry using the encryption key by performing a format-preserving encryption operation using the encryption key.
  - 5. The method defined in claim 2 wherein the information associated with the encryption key includes a key version number for the encryption key.
  - 6. The method defined in claim 5 wherein the key version number corresponds to a time.
  - 7. The method defined in claim 5 wherein the key version number corresponds to a given encryption operation.
  - 8. The method defined in claim 2 wherein the first data entry includes a credit card number.
  - 9. The method defined in claim 8 wherein the second data entry comprises a customer name associated with the credit card number.
  - 10. The method defined in claim 2 wherein the first data entry includes a Social Security Number.
  - 11. The method defined in claim 2 wherein each of the portions comprises a row of a table and wherein the respective fields of the common one of the portions are located in a common one of the rows.
  - 12. The method defined in claim 2 wherein each of the portions comprises a logical element in an encoded document and wherein the respective fields of the common one of the portions are sub-elements of a common one of the logical elements.
  - 13. The method defined in claim 2 wherein each of the portions comprises a delimited object in a scripted document and wherein the respective fields of the common one of the portions are key-value pairs of a common one of the delimited objects.

14. A method for decrypting encrypted data entries in a data file using a decryption engine in a data processing system having processing circuitry, the method comprising:
- with the processing circuitry, obtaining a data entry that includes information associated with an encryption key and an encrypted data entry;
  
  with the processing circuitry, extracting the information associated with the encryption key and the encrypted data entry from the data entry, wherein the encrypted data entry has been encrypted using the encryption key;
  
  with the processing circuitry, decrypting the extracted encrypted data entry using the extracted information associated with the encryption key to generate an augmented data entry that includes additional information associated with an additional encryption key and an unencrypted data entry;
  
  with the processing circuitry, extracting the additional information associated with the additional encryption key and the unencrypted data entry from the augmented data entry;
  
  with the processing circuitry, obtaining an additional encrypted data entry; and
  
  with the processing circuitry, decrypting the additional encrypted data entry using the extracted additional information associated with the additional encryption key.
- View Dependent Claims (15, 16, 17, 18, 23)
- - 15. The method defined in claim 14 wherein the data file comprises a plurality of portions, wherein each portion includes a plurality of associated fields and wherein the data entry and the additional encrypted data entry are located in respective fields of a common one of the portions.
  - 16. The method defined in claim 15 wherein extracting the information associated with the encryption key comprises decoding a portion of the data entry that encodes both the information associated with the encryption key and a portion of the encrypted data entry.
  - 17. The method defined in claim 15 wherein the data entry comprises an encrypted portion and an unencrypted portion and wherein extracting the information associated with the encryption key comprises selecting the unencrypted portion of the data entry.
  - 18. The method defined in claim 15 wherein the information associated with the encryption key comprises a key version number for the encryption key and wherein decrypting the extracted encrypted data entry using the extracted information associated with the encryption key comprises:
    - obtaining the encryption key using the key version number; and
      
      decrypting the extracted encrypted data entry using the encryption key.
  - 23. The method defined in claim 14, further comprising:
    - with the processing circuitry, decompressing the unencrypted data entry that was extracted from the augmented data entry.

19. A method for securely storing a data string in a database implemented using computing equipment comprising:
- encrypting the data string using a format-preserving encryption engine and an encryption key;
  
  embedding key management data associated with the encryption key in an additional data string; and
  
  storing the encrypted data string and the additional data string that includes the embedded key management data in associated fields of the database, wherein embedding the key management data associated with the encryption key in the additional data string comprises;
  
  combining the key management data associated with the encryption key that was used to encrypt the data string and the additional data string to form an augmented data string that includes the key management data associated with the encryption key and the additional data string;
  
  encrypting the augmented data string using an additional encryption key; and
  
  combining additional key management data associated with the additional encryption key with the encrypted augmented data entry.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, further comprising encrypting at least a portion of the additional data string.
  - 21. The method defined in claim 19, wherein embedding the key management data associated with the encryption key in the additional data string further comprises:
    - compressing the additional data string; and
      
      combining the key management data associated with the encryption key that was used to encrypt the data string and the compressed additional data string to form the augmented data string, wherein the augmented data string includes the key management data associated with the encryption key and the compressed additional data string.
  - 22. The method defined in claim 21, wherein the data string comprises a data file having plurality of portions, wherein each portion includes a plurality of associated fields, and wherein the data string and the additional data string are located in respective fields of a common one of the portions of the data file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Voltage Security Incorporated (HP Inc.)
Inventors
Spies, Terence, Smith, Philip Hillyer III
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US13/361,920
Publication Number

US 20130198525A1
Time in Patent Office

1,100 Days
Field of Search

380/28, 380/43, 380/278, 713/193, 705/79
US Class Current

713/193
CPC Class Codes

G06F 21/6227 where protection concerns t...

Systems for structured encryption using embedded information in data strings

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Systems for structured encryption using embedded information in data strings

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links