Centrally managed use case-specific entity identifiers

US 9,344,407 B1
Filed: 09/05/2013
Issued: 05/17/2016
Est. Priority Date: 09/05/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, comprising:

determine, in response to receiving identifier translation request from a requesting service, the identifier translation request comprising a first use case-specific entity identifier that is specific to a first use case, whether the requesting service has authorization to translate entity identifiers to entity identifiers specific to a second use case;

reject the identifier translation request when the requesting service does not have authorization;

generate, in response to receiving an actual entity identifier by decrypting the first use case-specific entity identifier, a second use case-specific entity identifier based at least in part on encrypting the actual entity identifier using a use case-generic encryption key and a use case-specific salt, the second use case-specific entity identifier and the use case-specific salt being specific to the second use case; and

send, responsive to the requesting service having authorization, the second use case-specific entity identifier to the requesting service in response to the identifier translation request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for centrally managed use case-specific entity identifiers. An identifier translation service receives an identifier translation request from a requesting service. The request specifies a first use case-specific entity identifier, which is specific to a first use case. An actual entity identifier is obtained by decrypting the first use case-specific entity identifier. A second use case-specific entity identifier is generated based at least in part on encrypting the actual entity identifier. The second use case-specific entity identifier is sent to the requesting service in response to the identifier translation request.

10 Citations

View as Search Results

21 Claims

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, comprising:
- determine, in response to receiving identifier translation request from a requesting service, the identifier translation request comprising a first use case-specific entity identifier that is specific to a first use case, whether the requesting service has authorization to translate entity identifiers to entity identifiers specific to a second use case;
  
  reject the identifier translation request when the requesting service does not have authorization;
  
  generate, in response to receiving an actual entity identifier by decrypting the first use case-specific entity identifier, a second use case-specific entity identifier based at least in part on encrypting the actual entity identifier using a use case-generic encryption key and a use case-specific salt, the second use case-specific entity identifier and the use case-specific salt being specific to the second use case; and
  
  send, responsive to the requesting service having authorization, the second use case-specific entity identifier to the requesting service in response to the identifier translation request.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the second use case is specific to the requesting service.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the first use case-specific entity identifier, the second use case-specific entity identifier, and the actual entity identifier uniquely identify a single customer entity.

4. A system, comprising:
- at least one computing device configured to at least;
  
  decrypt, in response to receiving an identifier translation request from a requesting service, the identifier translation request comprising a first use case-specific entity identifier that is specific to a first use case, the first use case-specific entity identifier to produce an actual entity identifier;
  
  generate a second use case-specific entity identifier based at least in part on encrypting the actual entity identifier, the second use case-specific entity identifier being specific to a second use case; and
  
  send the second use case-specific entity identifier to the requesting service in response to the identifier translation request.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 5. The system of claim 4, wherein decrypting the first use case-specific entity identifier further comprises determining a decryption key based at least in part on the first use case-specific entity identifier, the decryption key being employed to decrypt the first use case-specific entity identifier.
  - 6. The system of claim 4, wherein decrypting the first use case-specific entity identifier further comprises determining a use case-specific salt based at least in part on the first use case-specific entity identifier, the use case-specific salt being employed to produce the actual entity identifier.
  - 7. The system of claim 4, wherein the at least one computing device is further configured to determine whether the requesting service has authorization to translate entity identifiers into entity identifiers specific to the second use case.
  - 8. The system of claim 4, wherein the identifier translation request specifies the second use case.
  - 9. The system of claim 4, wherein the at least one computing device is further configured to determine the second use case based at least in part on an identity of the requesting service.
  - 10. The system of claim 4, wherein generating the second use case-specific entity identifier comprises encrypting the actual entity identifier using reversible encryption.
  - 11. The system of claim 4, wherein generating the second use case-specific entity identifier comprises encrypting the actual entity identifier using an encryption key specific to the second use case.
  - 12. The system of claim 11, wherein the at least one computing device is further configured to select the encryption key from a plurality of encryption keys specific to the second use case.
  - 13. The system of claim 4, wherein generating the second use case-specific entity identifier comprises encrypting the actual entity identifier using a salt specific to the second use case.
  - 14. The system of claim 13, wherein generating the second use case-specific entity identifier comprises encrypting the actual entity identifier using an encryption key shared by the first use case and the second use case, and the second use case-specific entity identifier differs from the first use case-specific entity identifier.

15. A method, comprising:
- receiving, via at least one of one or more computing devices, an identifier translation request from a requesting service, the identifier translation request comprising a plurality of first use case-specific entity identifiers, the plurality of first use case-specific entity identifiers being specific to a first use case;
  
  obtaining, via at least one of the one or more computing devices, a plurality of actual entity identifiers by decrypting the plurality of first use case-specific entity identifiers;
  
  generating, via at least one of the one or more computing devices, a plurality of second use case-specific entity identifiers based at least in part on encrypting individual ones of the plurality of actual entity identifiers, the plurality of second use case-specific entity identifiers being specific to a second use case; and
  
  sending, via at least one of the one or more computing devices, the plurality of second use case-specific entity identifiers to the requesting service in response to the identifier translation request.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, further comprising:
    - determining, via at least one of the one or more computing devices, whether the requesting service has authorization to access the plurality of second use case-specific entity identifiers; and
      
      rejecting, via at least one of the one or more computing devices, the identifier translation request when the requesting service does not have authorization to access the plurality of second use case-specific entity identifiers.
  - 17. The method of claim 15, wherein generating the plurality of second use case-specific entity identifiers further comprises at least one of:
    - encrypting, via at least one of the one or more computing devices, the individual ones of the plurality of actual entity identifiers using a salt specific to the second use case and a first encryption key generic to the second use case, the salt comprising a randomization value, a nonce value, or an initialization vector;
      
      orencrypting, via at least one of the one or more computing devices, the individual ones of the plurality of actual entity identifiers using a second encryption key specific to the second use case.
  - 18. The method of claim 15, further comprising:
    - selecting, via at least one of the one or more computing devices, for a particular one of the plurality of actual entity identifiers, a particular one of a plurality of encryption keys specific to the second use case, the selecting being based at least in part on the particular one of the plurality of actual entity identifiers; and
      
      encrypting, via at least one of the one or more computing devices, the particular one of the plurality of actual entity identifiers using the particular one of the plurality of encryption keys.
  - 19. The method of claim 15, wherein decrypting the plurality of first use case-specific entity identifiers comprises determining a plurality of decryption keys based at least in part on the plurality of first use case-specific entity identifiers, the plurality of decryption keys being employed to decrypt corresponding ones of the plurality of first use case-specific entity identifiers.
  - 20. The method of claim 15, wherein decrypting the plurality of first use case-specific entity identifiers comprises determining a plurality of use case-specific salts based at least in part on the first use case-specific entity identifiers, the plurality of use case-specific salts being employed to obtain the plurality of actual entity identifiers.
  - 21. The method of claim 15, wherein the identifier translation request specifies the second use case.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McClintock, Jon Arron, Canavor, Darren Ernest, Hitchcock, Daniel Wade, Johansson, Jesper Mikael, Bhimanaik, Bharath Kumar
Primary Examiner(s)
To, Baotran N

Application Number

US14/019,124
Time in Patent Office

985 Days
Field of Search

713/168, 713/189, 726/4
US Class Current

1/1
CPC Class Codes

G06F 21/6254 by anonymising data, e.g. d...

H04L 63/0407 wherein the identity of one...

Centrally managed use case-specific entity identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Centrally managed use case-specific entity identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links