Data obfuscation

US 9,946,895 B1
Filed: 12/15/2015
Issued: 04/17/2018
Est. Priority Date: 12/15/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, from a processing system of a multi-tenant environment, a request for customer data stored by a data storage system of the multi-tenant environment, the customer data associated with a customer having an account with a provider of the multi-tenant environment;

determining, per an access policy specified by the customer, that a portion of the customer data for the request is sensitive data that is restricted from full access by the processing system;

determining a first key and a separate second key corresponding to the sensitive data;

generating a token for the sensitive data, the token generated using the first key and ciphertext of the sensitive data generated using the second key, an initialization vector, and padding;

providing the token for the sensitive data, along with other non-sensitive customer data for the request, to the processing system; and

causing the processing system to aggregate the sensitive data, and other non-sensitive customer data, with additional data for additional customers, wherein aggregated data analysis is enabled to be performed by the processing system without the processing system having access to an unencrypted form of the sensitive data for the customer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Sensitive data can be obfuscated before being provided for processing (i.e., aggregating, sorting, grouping, or transforming) using a pair of keys to generate a token that contains the sensitive data. The token can include a synthetic initialization vector, generated using a first key, and a ciphertext portion including the sensitive data encrypted under a second key. This tokenization can be performed by a data service or by an intermediate service that acts as an overlay or proxy for the underlying data service. The tokenized data can be provided for processing, and can remain tokenized until being received by an entity or system having access to at least the second key. A receiving entity with access to the second key can decrypt the ciphertext to obtain the plaintext, and if the first key is available the entity can perform a further integrity check on the tokenized data.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, from a processing system of a multi-tenant environment, a request for customer data stored by a data storage system of the multi-tenant environment, the customer data associated with a customer having an account with a provider of the multi-tenant environment;
  
  determining, per an access policy specified by the customer, that a portion of the customer data for the request is sensitive data that is restricted from full access by the processing system;
  
  determining a first key and a separate second key corresponding to the sensitive data;
  
  generating a token for the sensitive data, the token generated using the first key and ciphertext of the sensitive data generated using the second key, an initialization vector, and padding;
  
  providing the token for the sensitive data, along with other non-sensitive customer data for the request, to the processing system; and
  
  causing the processing system to aggregate the sensitive data, and other non-sensitive customer data, with additional data for additional customers, wherein aggregated data analysis is enabled to be performed by the processing system without the processing system having access to an unencrypted form of the sensitive data for the customer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving the token for the sensitive data by a receiving system having access to the second key; and
      
      decrypting the sensitive data from the ciphertext using the second key.
  - 3. The computer-implemented method of claim 2, further comprising:
    - verifying, at the receiving system, that an initialization vector generated by the receiving system, using the first key and the decrypted sensitive data, matches the initialization vector in the received token.
  - 4. The computer-implemented method of claim 1, further comprising:
    - storing an association between the sensitive data, the first key, and the second key, wherein a same token can be generated for a subsequent request using the sensitive data, the first key, and the second key.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving the request by an obfuscation service, the obfuscation service functioning as the data storage system from a viewpoint of the processing system;
      
      obtaining the sensitive data from the data storage system;
      
      generating the token by the obfuscation service; and
      
      providing the token to the processing service from the obfuscation service.

6. A computer-implemented method, comprising:
- receiving a request for data from a requesting system;
  
  determining that a portion of the data for the request is sensitive data having restricted access for the requesting system;
  
  determining a first key and a separate second key corresponding to the sensitive data;
  
  generating a token for the sensitive data, the token generated using the first key and ciphertext of the sensitive data generated using the second key, an initialization vector, and padding; and
  
  providing the token for the sensitive data, along with other non-sensitive data for the request, to the requesting system, wherein the requesting system is able to process the sensitive data and other non-sensitive data without the requesting system having access to an unencrypted version of the sensitive data.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The computer-implemented method of claim 6, further comprising:
    - enabling the requesting system to process the sensitive data and other non-sensitive data by at least one of aggregating, sorting, grouping, or transforming the sensitive data and other non-sensitive data.
  - 8. The computer-implemented method of claim 6, wherein the data for the request is stored by a data storage service, and further comprising:
    - receiving the request for data by an obfuscation system;
      
      obtaining the data for the request from the data storage service;
      
      generating the token via the obfuscation system; and
      
      providing the token to the requesting system from the obfuscation system, wherein the requesting system is enabled to interact with the obfuscation system as the requesting system would otherwise interact with the data storage service.
  - 9. The computer-implemented method of claim 6, wherein the data storage service is operated by a separate provider than a resource provider for the obfuscation system.
  - 10. The computer-implemented method of claim 6, wherein the data for the request is associated with a customer, and further comprising:
    - determining an access control policy corresponding to the data for the request; and
      
      determining the sensitive data based at least in part upon the access control policy.
  - 11. The computer-implemented method of claim 6, wherein the first key and the second key are symmetric cryptographic keys or asymmetric cryptographic keys.
  - 12. The computer-implemented method of claim 6, wherein the first key and the second key are portions of a single master key or generated using a key derivation scheme.
  - 13. The computer-implemented method of claim 6, further comprising:
    - determining a structure of the sensitive data; and
      
      maintaining the structure in providing the token for the sensitive data.
  - 14. The computer-implemented method of claim 6, further comprising:
    - storing an association between the sensitive data, the first key, and the second key, wherein a same token can be generated for a subsequent request using the sensitive data, the first key, and the second key.
  - 15. The computer-implemented method of claim 6, further comprising:
    - generating the initialization vector by computing a hash-based message authentication code (HMAC) using the first key and an algorithm selected from a family of SHA algorithms.
  - 16. The computer-implemented method of claim 6, further comprising:
    - receiving the token for the sensitive data; and
      
      decrypting the sensitive data from the ciphertext using the second key;
      
      verifying that an initialization vector generated using the first key and the decrypted sensitive data matches the initialization vector in the received token.

17. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive a request for data from a requesting system;
  
  determine that a portion of the data for the request is sensitive data having restricted access for the requesting system;
  
  determine a first key and a separate second key corresponding to the sensitive data;
  
  generate a token for the sensitive data, the token generated using the first key and ciphertext of the sensitive data generated using the second key, an initialization vector, and padding; and
  
  provide the token for the sensitive data, along with other non-sensitive data for the request, to the requesting system, wherein the requesting system is able to receive the sensitive data and other non-sensitive data without the requesting system having access to plaintext for the sensitive data.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the instructions when executed further cause the system to:
    - enable the requesting system to process the sensitive data and other non-sensitive data by at least one of aggregating, sorting, grouping, or transforming the sensitive data and other non-sensitive data.
  - 19. The system of claim 17, wherein the data for the request is stored by a data storage service, and wherein the instructions when executed further cause the system to:
    - receive the request for data to an obfuscation system;
      
      obtain the data for the request from the data storage service;
      
      generate the token via the obfuscation system; and
      
      provide the token to the requesting system from the obfuscation system, wherein the requesting system is enabled to interact with the obfuscation system as the requesting system would otherwise interact with the data storage service.
  - 20. The system of claim 17, wherein the instructions when executed further cause the system to:
    - receive the token for the sensitive data by a receiving system having access to the second key; and
      
      decrypt the sensitive data from the ciphertext using the second key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Kruse, William Frederick Hingle, Campagna, Matthew John, Mehr, Nima Sharifi, Nagda, Hardik, Berciu, Radu, Roth, Gergory Branchek
Primary Examiner(s)
Bayou, Yonas

Application Number

US14/969,686
Time in Patent Office

854 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 21/6245   Protecting personal data, e...

G06F 21/6263   during internet communicati...

Data obfuscation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data obfuscation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links