Method and system for secure key rotation
First Claim
Patent Images
1. A computer system for executing electronic payment transactions while conducting a key rotation and re-keying comprising:
- a transaction server comprised of memory comprised of a first decryption key and a second decryption key corresponding to a first key identifier and a second key identifier stored in the memory,the transaction server further comprised of a data structure representing a key table, said key table comprised of data representing a third key identifier and a fourth key identifier;
the transaction server further comprised of logic configured to;
receive from the key table the third key identifier and the fourth key identifier;
receive a first encrypted data representing a first payment token encrypted by a third encryption key and a second encrypted data representing the first payment token encrypted by a fourth encryption key, each of the third and fourth encryption keys corresponding to the third and fourth key identifiers comprising the key table;
determine which one of either the third or fourth key identifiers correspond to the first or second key identifiers;
select one of the first or second received encrypted data that corresponds to the determined one of the third or fourth key identifiers; and
decrypt the selected received encrypted data using the one of the first or second decryption keys whose key identifier was determined to correspond to the third or fourth key identifier; and
a keying server comprised of logic configured to;
receive the first and the second key identifiers, where the first key identifier corresponds to the youngest of the first or second encryption keys;
receive the third and the fourth key identifiers;
receive the first encrypted data and the second encrypted data;
determine whether the pair of third and fourth key identifiers fail to correspond to the pair of first and second key identifiers, and in dependence on such determination, decrypting whichever of the first or second encrypted data corresponds to the fourth key identifier and re-encrypting the decrypted data using the first encryption key that corresponds to the younger of the first or second encryption keys.
10 Assignments
0 Petitions
Accused Products
Abstract
This invention discloses a novel system for securing and using payment token data in a system for processing electronic payment transactions that does not require down-time for rekeying encryption keys when the keys are rotated.
-
Citations
8 Claims
-
1. A computer system for executing electronic payment transactions while conducting a key rotation and re-keying comprising:
-
a transaction server comprised of memory comprised of a first decryption key and a second decryption key corresponding to a first key identifier and a second key identifier stored in the memory, the transaction server further comprised of a data structure representing a key table, said key table comprised of data representing a third key identifier and a fourth key identifier; the transaction server further comprised of logic configured to; receive from the key table the third key identifier and the fourth key identifier; receive a first encrypted data representing a first payment token encrypted by a third encryption key and a second encrypted data representing the first payment token encrypted by a fourth encryption key, each of the third and fourth encryption keys corresponding to the third and fourth key identifiers comprising the key table; determine which one of either the third or fourth key identifiers correspond to the first or second key identifiers; select one of the first or second received encrypted data that corresponds to the determined one of the third or fourth key identifiers; and decrypt the selected received encrypted data using the one of the first or second decryption keys whose key identifier was determined to correspond to the third or fourth key identifier; and a keying server comprised of logic configured to; receive the first and the second key identifiers, where the first key identifier corresponds to the youngest of the first or second encryption keys; receive the third and the fourth key identifiers; receive the first encrypted data and the second encrypted data; determine whether the pair of third and fourth key identifiers fail to correspond to the pair of first and second key identifiers, and in dependence on such determination, decrypting whichever of the first or second encrypted data corresponds to the fourth key identifier and re-encrypting the decrypted data using the first encryption key that corresponds to the younger of the first or second encryption keys. - View Dependent Claims (2, 3, 4)
-
-
5. A method executed by a computer system for executing electronic payment transactions while conducting a key rotation and re-keying, the computer system comprised of a transaction server comprised of memory comprised of a first decryption key and a second decryption key corresponding to a first key identifier and a second key identifier and a data structure representing a key table and a keying server comprising:
-
at the transaction server, storing in the key table a third key identifier and a fourth key identifier; receiving a first encrypted data representing a first payment token encrypted by a third encryption key and a second encrypted data representing the first payment token encrypted by a fourth encryption key, each of the third and fourth encryption keys corresponding to the third and fourth key identifiers comprising the key table; determining which one of either the third or fourth key identifiers correspond to the first or second key identifiers; selecting one of the first or second received encrypted data that corresponds to the determined one of the third or fourth key identifiers; and decrypting the selected received encrypted data using the one of the first or second decryption keys whose key identifier was determined to correspond to the third or fourth key identifier; and at the keying server, receiving the first and the second key identifiers, where the first key identifier corresponds to the youngest of the first or second encryption keys; receiving the third and the fourth key identifiers; receiving the first encrypted data and the second encrypted data; determining whether the pair of third and fourth key identifiers fail to correspond to the pair of first and second key identifiers; and in dependence on such determination, decrypting whichever of the first or second encrypted data corresponds to the fourth key identifier and re-encrypting the decrypted data using the first encryption key that corresponds to the younger of the first or second encryption keys. - View Dependent Claims (6, 7, 8)
-
Specification