System and method to anonymize data transmitted to a destination computing device

US 9,432,342 B1
Filed: 01/29/2015
Issued: 08/30/2016
Est. Priority Date: 03/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method for anonymizing data, comprising:

receiving data to be anonymized by an anonymization system executed on a computing device, the data including a plurality of characters;

generating a request for a data encryption key with a corresponding request identifier;

providing a data store associating a plurality of generated masked data encryption key with their corresponding request identifier;

verifying if there is a match between the corresponding request identifier and a stored request identifier;

when there is a match, receiving the associated masked data encryption key corresponding to the request identifier for the data encryption key in response to the request;

when there is no match, generating a masked data encryption key corresponding to the request identifier for the data encryption key byproviding a first encryption key, a second encryption key and a master key;

masking the master key with the first encryption key using a computer implemented first crypto function to generate a masked master key; and

generating the masked data encryption key using a computer implemented second crypto function and the masked master key;

receiving the generated masked data encryption key in response to the request;

retrieving the data encryption key from the received masked data encryption key by de-masking the masked data encryption key using a computer implemented third crypto function and the second encryption key; and

anonymizing the data using an anonymization module executed on the computing device to derive an anonymized data using the retrieved data encryption key.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for anonymizing data is disclosed. Data to be anonymized is received by an anonymization system. A request for a data encryption key is generated. A masked data encryption key is received in response to the request. The data encryption key is retrieved from the masked data encryption key. The data is anonymized using an anonymization module to derive an anonymized data using the data encryption key.

85 Citations

View as Search Results

18 Claims

1. A method for anonymizing data, comprising:
- receiving data to be anonymized by an anonymization system executed on a computing device, the data including a plurality of characters;
  
  generating a request for a data encryption key with a corresponding request identifier;
  
  providing a data store associating a plurality of generated masked data encryption key with their corresponding request identifier;
  
  verifying if there is a match between the corresponding request identifier and a stored request identifier;
  
  when there is a match, receiving the associated masked data encryption key corresponding to the request identifier for the data encryption key in response to the request;
  
  when there is no match, generating a masked data encryption key corresponding to the request identifier for the data encryption key byproviding a first encryption key, a second encryption key and a master key;
  
  masking the master key with the first encryption key using a computer implemented first crypto function to generate a masked master key; and
  
  generating the masked data encryption key using a computer implemented second crypto function and the masked master key;
  
  receiving the generated masked data encryption key in response to the request;
  
  retrieving the data encryption key from the received masked data encryption key by de-masking the masked data encryption key using a computer implemented third crypto function and the second encryption key; and
  
  anonymizing the data using an anonymization module executed on the computing device to derive an anonymized data using the retrieved data encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further including:
    - storing the request identifier and corresponding generated masked data encryption key in the data store.
  - 3. The method of claim 1, wherein the first crypto function is configured such that the master key may not be derived from the masked master key and the first encryption key.
  - 4. The method of claim 3, wherein the second crypto function and the third crypto function are configured such that effect of first encryption key on the masked data encryption key generated using the second crypto function is negated by the second encryption key using the third crypto function.
  - 5. The method of claim 1, wherein, the first crypto function is executed in an administrator system;
    - the second crypto function is executed in a key manager system; and
      
      the third crypto function is executed in the anonymization system.
  - 6. The method of claim 5, further including:
    - receiving the request for the data encryption key by the key manager system;
      
      generating the masked data encryption key by the key manager system; and
      
      responding with the masked data encryption key by the key manager system.
  - 7. The method of claim 1, further including:
    - feeding a DEK seed and the masked master key to the second crypto function as input to generate the masked data encryption key.
  - 8. The method of claim 7,further including:
    - storing the request identifier and the DEK seed corresponding to the generated masked data encryption key in a data store;
      
      receiving a subsequent request for a data encryption key with a corresponding request identifier;
      
      verifying if there is a match between the corresponding request identifier and the stored request identifier; and
      
      when there is a match, regenerating the masked data encryption key by using the masked master key and the DEK seed corresponding to the stored request identifier and responding with the regenerated masked data encryption key;
      
      when there is no match, generating a new masked data encryption key and responding with the new generated masked data encryption key.
  - 9. The method of claim 5, wherein the administrator system transmits the masked master key to the key manager system and transmits the second encryption key to the anonymization system.

10. A system to anonymize data, comprising:
- an anonymization system executed on a computing device configured to receive data to be anonymized, the data including a plurality of characters;
  
  generate a request for a data encryption key with a corresponding request identifier;
  
  receive a masked data encryption key in response to the request;
  
  retrieve the data encryption key from the masked data encryption key; and
  
  anonymize the data using an anonymization module executed on the computing device to derive an anonymized data using the retrieved data encryption key,wherein the system further including;
  
  a data store with each generated masked data encryption key associated with their corresponding request identifier;
  
  a match between the corresponding request identifier and a stored request identifier is verified for a match by the system, andwhen there is a match, the masked data encryption key corresponding to the request identifier is received in response to the request;
  
  when there is no match, a masked data encryption key corresponding to the request identifier for the data encryption key is generated and received in response to the request, wherein a masked master key is generated by masking a master key with a first encryption key using a computer implemented first crypto function; and
  
  the masked data encryption key is generated using a computer implemented second crypto function and the masked master key; and
  
  wherein, the data encryption key is retrieved from the received masked data encryption key by de-masking the masked data encryption key using a computer implemented third crypto function and a second encryption key.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the request identifier and the corresponding generated masked data encryption key is stored in the data store.
  - 12. The system of claim 10, wherein the first crypto function is configured such that the master key may not be derived from the masked master key and the first encryption key.
  - 13. The system of claim 12, wherein the second crypto function and the third crypto function are configured such that effect of first encryption key on the masked data encryption key generated using the second crypto function is negated by the second encryption key using the third crypto function.
  - 14. The system of claim 10, wherein, the first crypto function is executed in an administrator system;
    - the second crypto function is executed in a key manager system; and
      
      the third crypto function is executed in the anonymization system.
  - 15. The system of claim 14, wherein the key manager system receives the request for the data encryption key;
    - generates the masked data encryption key; and
      
      responds with the masked data encryption key.
  - 16. The system of claim 10, wherein a DEK seed and the masked master key is fed to the second crypto function as input to generate the masked data encryption key.
  - 17. The system of claim 16,wherein the request identifier and the DEK seed corresponding to the generated masked data encryption key is stored in a data store;
    - upon receipt of a subsequent request for a data encryption key with a corresponding request identifier, the corresponding request identifier is compared with the stored request identifier; and
      
      when there is a match between the corresponding request identifier and the stored request identifier, the masked data encryption key is regenerated by using the masked master key and the DEK seed corresponding to the stored request identifier and the regenerated masked data encryption key is returned in response to the request;
      
      when there is no match, a new masked data encryption key is generated and the new generated masked data encryption key is returned in response to the request.
  - 18. The system of claim 14, wherein the administrator system transmits the masked master key to the key manager system and transmits the second encryption key to the anonymization system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Ciphercloud Incorporated
Inventors
Gorantla, Malakondayya, Kothari, Pravin
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
Chaudhry, Muhammad

Application Number

US14/609,402
Time in Patent Office

579 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6254   by anonymising data, e.g. d...

H04L 2463/062   applying encryption of the ...

H04L 63/0421   Anonymous communication, i....

H04L 63/0435   wherein the sending and rec...

H04L 63/0478   applying multiple layers of...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/08   Key distribution or managem...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

System and method to anonymize data transmitted to a destination computing device

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to anonymize data transmitted to a destination computing device

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links