System and method for tokenization of data for storage in a cloud

US 9,021,135 B2
Filed: 04/19/2012
Issued: 04/28/2015
Est. Priority Date: 04/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method of obfuscating a sensitive data element in a data object received from a client device, the method comprising:

at an intercepting proxy server computer;

creating a token having a random token value;

concatenating a predetermined prefix and the random token value to generate a replacement value;

storing the sensitive data element in a lookup table indexed by the random token value;

replacing the sensitive data element with the replacement value, thus generating a modified data object;

transmitting the modified data object from the intercepting proxy server computer to the server computer in a cloud;

receiving from the server computer in the cloud, a returned data object corresponding to the modified data object comprising a returned data element;

extracting the random token value from the returned data element;

generating the sensitive data element, comprising looking up the sensitive data element in the lookup table indexed by the random token value;

formatting the sensitive data element based on a context of a data structure containing the sensitive data element in the returned data object, thus generating a formatted sensitive data element;

replacing the returned data element with the formatted sensitive data element thereby generating a modified returned data object for transmitting to the client device; and

identifying the returned data element as a token-to-be-replaced, wherein the identifying the returned data element as the token-to-be-replaced further comprises;

mapping data in the returned data object against a dictionary of attributes; and

identifying the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intercepting proxy server processes traffic between an enterprise user and a cloud application. The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating tokens which are randomly generated. To the cloud application real data are only visible as tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding real data elements. The obfuscating tokens are not computationally related to the original sensitive value. Each intercepted real data element is stored in a local persistent storage layer, and indexed by the corresponding obfuscating token, allowing the real data element to be retrieved when the token is returned from the cloud, for delivery to the user.

Citations

19 Claims

1. A method of obfuscating a sensitive data element in a data object received from a client device, the method comprising:
- at an intercepting proxy server computer;
  
  creating a token having a random token value;
  
  concatenating a predetermined prefix and the random token value to generate a replacement value;
  
  storing the sensitive data element in a lookup table indexed by the random token value;
  
  replacing the sensitive data element with the replacement value, thus generating a modified data object;
  
  transmitting the modified data object from the intercepting proxy server computer to the server computer in a cloud;
  
  receiving from the server computer in the cloud, a returned data object corresponding to the modified data object comprising a returned data element;
  
  extracting the random token value from the returned data element;
  
  generating the sensitive data element, comprising looking up the sensitive data element in the lookup table indexed by the random token value;
  
  formatting the sensitive data element based on a context of a data structure containing the sensitive data element in the returned data object, thus generating a formatted sensitive data element;
  
  replacing the returned data element with the formatted sensitive data element thereby generating a modified returned data object for transmitting to the client device; and
  
  identifying the returned data element as a token-to-be-replaced, wherein the identifying the returned data element as the token-to-be-replaced further comprises;
  
  mapping data in the returned data object against a dictionary of attributes; and
  
  identifying the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the context in the modified data object comprises metadata describing the sensitive data element.
  - 3. The method of claim 1, wherein the concatenating further comprises concatenating a predetermined suffix to the replacement value.
  - 4. The method of claim 1 further comprising identifying the sensitive data element in the data object.
  - 5. The method of claim 4, the identifying the sensitive data element further comprises:
    - mapping the data in the data object against a dictionary of attributes; and
      
      identifying the sensitive data element using a corresponding attribute in the dictionary.
  - 6. The method of claim 1 wherein a type of the data structure containing the sensitive data element is selected from the group consisting of HTML (Hypertext Markup Language), XML (Extensible Markup Language), SOAP (Simple Object Access protocol), and JSON (JavaScript Object Notation).

7. An intercepting proxy server computer for obfuscating a sensitive data element in a data object received from a client device, comprising:
- a processor; and
  
  a memory having computer readable instructions stored thereon for execution by the processor, for causing the processor to;
  
  create a token having a random token;
  
  concatenate a predetermined prefix and the random token value to generate a replacement value;
  
  store a sensitive data element in a lookup table indexed by the random token value;
  
  replace the sensitive data element with the replacement value, thus generating a modified data object;
  
  transmit the modified data object from the intercepting proxy server computer to the server computer in a cloud;
  
  receive from the server computer in the cloud, a returned data object corresponding to the modified data object comprising a returned data element;
  
  extract the random token value from the returned data element;
  
  generate the sensitive data element, comprising looking up the sensitive data element in the lookup table indexed by the random token value;
  
  format the sensitive data element based on a context of a data structure containing the sensitive data element in the returned data object, thus generating a formatted sensitive data element;
  
  replace the returned data element with the formatted sensitive data element thereby generating a modified returned data object to be transmitted to the client device; and
  
  identify the returned data element as a token-to-be-replaced, wherein the computer readable instructions that cause to processor to identify the returned data element as the token-to-be-replaced cause the processor to;
  
  map data in the returned data object against a dictionary of attributes; and
  
  identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The intercepting proxy server computer of claim 7, wherein the computer readable instructions cause the processor to format the sensitive data element according to the context in the modified data object comprising metadata describing the sensitive data element.
  - 9. The intercepting proxy server computer of claim 7, wherein the computer readable instructions that cause the processor to concatenate further cause the processor to concatenate a predetermined suffix to the replacement value.
  - 10. The intercepting proxy server computer of claim 7, wherein the computer readable instructions further cause the processor to identify the sensitive data element in the data object.
  - 11. The intercepting proxy server computer of claim 10, wherein the computer readable instructions that cause the processor to identify the sensitive data element cause the processor to:
    - map the data in the data object against a dictionary of attributes; and
      
      identify the sensitive data element using a corresponding attribute in the dictionary.
  - 12. The intercepting proxy server computer of claim 7 wherein a type of the data structure containing the sensitive data element is selected from the group consisting of HTML (Hypertext Markup Language), XML (Extensible Markup Language), SOAP (Simple Object Access protocol), and JSON (JavaScript Object Notation).

13. An intercepting proxy server computer for obfuscating a sensitive data element in a data object received from a client device, comprising:
- a processor having a network input/output (IO) system;
  
  a memory having computer readable instructions stored thereon for execution by the processor, the computer readable instructions comprising;
  
  a tooling module for identifying the sensitive data element in the data object;
  
  a token generator module for creating a token having a random token value and storing the sensitive data element in a lookup table indexed by the random token value; and
  
  a token packaging module for concatenating a predetermined prefix and the random token value to generate a replacement value, and replacing the sensitive data element with the replacement value, thus generating a modified data object wherein;
  
  the network input/output (IO) system is further configured to transmit the modified data object from the intercepting proxy server computer to a server computer in a cloud;
  
  the network input/output (IO) system is further configured to receive a returned data object, comprising;
  
  a returned sensitive data element, from the server computer in the cloud, extract the random token value from the returned data element, and look up the sensitive data element in the lookup table indexed by the random token value; and
  
  the computer readable instructions further comprise a context formatting module for formatting the returned sensitive data element according to a context of a data structure containing the sensitive data element in the returned data object and replace the sensitive returned data element with a formatted sensitive data element, thereby generating a modified returned data object for transmission to the client device; and
  
  the tooling module is further configured to map the data in the data object against a dictionary of attributes and identify the sensitive data element using a corresponding attribute in the dictionary, and wherein the tooling module is further configured to map data in the returned data object against a dictionary of attributes and identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The intercepting proxy server computer of claim 13, wherein the context formatting module is further configured to format the sensitive data element according to the context in the modified data object comprising metadata describing the sensitive data element.
  - 15. The intercepting proxy server computer of claim 13, wherein the token packaging module is further configured to add a predetermined suffix to the replacement value.
  - 16. The intercepting proxy server computer of claim 13, wherein the tooling module is further configured to map the data in the data object against a dictionary of attributes and identify the sensitive data element using a corresponding attribute in the dictionary.
  - 17. The intercepting proxy server computer of claim 13 wherein a type of the data structure containing the sensitive data element is selected from the group consisting of HTML (Hypertext Markup Language), XML (Extensible Markup Language), SOAP (Simple Object Access protocol), and JSON (JavaScript Object Notation).

18. A computer network, comprising:
- an intercepting proxy server computer for obfuscating a sensitive data element in a data object received from a client device, comprising;
  
  a processor; and
  
  a memory having computer readable instructions stored thereon for execution by the processor, for causing the processor to;
  
  create a token having a random token;
  
  concatenate a predetermined prefix and the random token value to generate a replacement value;
  
  store a sensitive data element in a lookup table indexed by the random token value;
  
  replace the sensitive data element with the replacement value, thus generating a modified data object;
  
  transmit the modified data object from the intercepting proxy server computer to the server computer in a cloud;
  
  receive from the server computer in the cloud, a returned data object corresponding to the modified data object comprising a returned data element;
  
  extract the random token value from the returned data element;
  
  generate the sensitive data element, comprising looking UP the sensitive data element in the lookup table indexed by the random token value;
  
  format the sensitive data element based on a context of a data structure containing the sensitive data element in the returned data object, thus generating a formatted sensitive data element;
  
  replace the returned data element with the formatted sensitive data element thereby generating a modified returned data object to be transmitted to the client device; and
  
  identify the returned data element as a token-to-be-replaced, wherein the computer readable instructions that cause to processor to identify the returned data element as the token-to-be-replaced cause the processor to;
  
  map data in the returned data object against a dictionary of attributes; and
  
  identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.

19. A computer network, comprising:
- an intercepting proxy server computer for obfuscating a sensitive data element in a data object received from a client device, comprising;
  
  a processor having a network input/output (IO) system;
  
  a memory having computer readable instructions stored thereon for execution by the processor, the computer readable instructions comprising;
  
  a tooling module for identifying the sensitive data element in the data object;
  
  a token generator module for creating a token having a random token value and storing the sensitive data element in a lookup table indexed by the random token value; and
  
  a token packaging module for concatenating a predetermined prefix and the random token value to generate a replacement value, and replacing the sensitive data element with the replacement value, thus generating a modified data object;
  
  wherein;
  
  the network input/output (IO) system is further configured to transmit the modified data object from the intercepting proxy server computer to a server computer in a cloud;
  
  the network input/output (IO) system is further configured to receive a returned data object, comprising a returned sensitive data element, from the server computer in the cloud, extract the random token value from the returned data element, and look up the sensitive data element in the lookup table indexed by the random token value;
  
  the computer readable instructions further comprise a context formatting module for formatting the returned sensitive data element according to a context of a data structure containing the sensitive data element in the returned data object and replace the sensitive returned data element with a formatted sensitive data element, thereby generating a modified returned data object for transmission to the client device; and
  
  the tooling module is further configured to map the data in the data object against a dictionary of attributes and identify the sensitive data element using a corresponding attribute in the dictionary, and wherein the tooling module is further configured to map data in the returned data object against a dictionary of attributes and identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Perspecsys Corp.
Inventors
Ang, George Weilun, Townsend, Derek Jon, Woelfel, John Harold, Woloszyn, Terrence Peter
Primary Examiner(s)
Mejia, Anthony
Assistant Examiner(s)
GOODWIN, SCHQUITA D

Application Number

US13/450,879
Publication Number

US 20120278504A1
Time in Patent Office

1,104 Days
Field of Search

713/193, 713/172, 713/185, 705/65, 726/3, 726/10, 726/26, 726/9, 707/737, 707/500, 380/30, 725/109, 709/246
US Class Current

709/246
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/602   Providing cryptographic fac...

G09C 1/00   Apparatus or methods whereb...

H04L 61/2596   Translation of addresses of...

H04L 61/301   Name conversion

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

System and method for tokenization of data for storage in a cloud

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for tokenization of data for storage in a cloud

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links