Method and system for secure key rotation

US 9,953,317 B2
Filed: 03/13/2013
Issued: 04/24/2018
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computer system for executing electronic payment transactions while conducting a key rotation and re-keying comprising:

a transaction server comprised of memory comprised of a first decryption key and a second decryption key corresponding to a first key identifier and a second key identifier stored in the memory,the transaction server further comprised of a data structure representing a key table, said key table comprised of data representing a third key identifier and a fourth key identifier;

the transaction server further comprised of logic configured to;

receive from the key table the third key identifier and the fourth key identifier;

receive a first encrypted data representing a first payment token encrypted by a third encryption key and a second encrypted data representing the first payment token encrypted by a fourth encryption key, each of the third and fourth encryption keys corresponding to the third and fourth key identifiers comprising the key table;

determine which one of either the third or fourth key identifiers correspond to the first or second key identifiers;

select one of the first or second received encrypted data that corresponds to the determined one of the third or fourth key identifiers; and

decrypt the selected received encrypted data using the one of the first or second decryption keys whose key identifier was determined to correspond to the third or fourth key identifier; and

a keying server comprised of logic configured to;

receive the first and the second key identifiers, where the first key identifier corresponds to the youngest of the first or second encryption keys;

receive the third and the fourth key identifiers;

receive the first encrypted data and the second encrypted data;

determine whether the pair of third and fourth key identifiers fail to correspond to the pair of first and second key identifiers, and in dependence on such determination, decrypting whichever of the first or second encrypted data corresponds to the fourth key identifier and re-encrypting the decrypted data using the first encryption key that corresponds to the younger of the first or second encryption keys.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention discloses a novel system for securing and using payment token data in a system for processing electronic payment transactions that does not require down-time for rekeying encryption keys when the keys are rotated.

Citations

8 Claims

1. A computer system for executing electronic payment transactions while conducting a key rotation and re-keying comprising:
- a transaction server comprised of memory comprised of a first decryption key and a second decryption key corresponding to a first key identifier and a second key identifier stored in the memory,the transaction server further comprised of a data structure representing a key table, said key table comprised of data representing a third key identifier and a fourth key identifier;
  
  the transaction server further comprised of logic configured to;
  
  receive from the key table the third key identifier and the fourth key identifier;
  
  receive a first encrypted data representing a first payment token encrypted by a third encryption key and a second encrypted data representing the first payment token encrypted by a fourth encryption key, each of the third and fourth encryption keys corresponding to the third and fourth key identifiers comprising the key table;
  
  determine which one of either the third or fourth key identifiers correspond to the first or second key identifiers;
  
  select one of the first or second received encrypted data that corresponds to the determined one of the third or fourth key identifiers; and
  
  decrypt the selected received encrypted data using the one of the first or second decryption keys whose key identifier was determined to correspond to the third or fourth key identifier; and
  
  a keying server comprised of logic configured to;
  
  receive the first and the second key identifiers, where the first key identifier corresponds to the youngest of the first or second encryption keys;
  
  receive the third and the fourth key identifiers;
  
  receive the first encrypted data and the second encrypted data;
  
  determine whether the pair of third and fourth key identifiers fail to correspond to the pair of first and second key identifiers, and in dependence on such determination, decrypting whichever of the first or second encrypted data corresponds to the fourth key identifier and re-encrypting the decrypted data using the first encryption key that corresponds to the younger of the first or second encryption keys.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 where the transaction server is further comprised of logic configured to:
    - receive the first payment token;
      
      receive the second and the third key identifiers;
      
      encrypt the first payment token with the encryption key associated with the second key identifier;
      
      input the encrypted first payment token into a data record entry corresponding to the first payment token, said entry further corresponding to the second key identifier, where the first and second key identifiers are numerically distinct and the first and second encryption keys are numerically distinct.
  - 3. The system of claim 1 where the transaction server is further comprised of logic configured to:
    - determine if neither the first nor second key identifiers match either the third or fourth key identifiers, and in dependence thereon, request from a remote server server and receive from said remote server encrypted forms of the third decryption key and the fourth decryption key corresponding to the third and fourth key identifiers.
  - 4. The system of claim 3 further comprised of logic configured to prevent the key rotation and rekeying until the system detects a condition that the request from said remote server step returns a null result instead of the third and fourth decryption keys.

5. A method executed by a computer system for executing electronic payment transactions while conducting a key rotation and re-keying, the computer system comprised of a transaction server comprised of memory comprised of a first decryption key and a second decryption key corresponding to a first key identifier and a second key identifier and a data structure representing a key table and a keying server comprising:
- at the transaction server,storing in the key table a third key identifier and a fourth key identifier;
  
  receiving a first encrypted data representing a first payment token encrypted by a third encryption key and a second encrypted data representing the first payment token encrypted by a fourth encryption key, each of the third and fourth encryption keys corresponding to the third and fourth key identifiers comprising the key table;
  
  determining which one of either the third or fourth key identifiers correspond to the first or second key identifiers;
  
  selecting one of the first or second received encrypted data that corresponds to the determined one of the third or fourth key identifiers; and
  
  decrypting the selected received encrypted data using the one of the first or second decryption keys whose key identifier was determined to correspond to the third or fourth key identifier; and
  
  at the keying server,receiving the first and the second key identifiers, where the first key identifier corresponds to the youngest of the first or second encryption keys;
  
  receiving the third and the fourth key identifiers;
  
  receiving the first encrypted data and the second encrypted data;
  
  determining whether the pair of third and fourth key identifiers fail to correspond to the pair of first and second key identifiers; and
  
  in dependence on such determination, decrypting whichever of the first or second encrypted data corresponds to the fourth key identifier and re-encrypting the decrypted data using the first encryption key that corresponds to the younger of the first or second encryption keys.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5 further comprising:
    - at the transaction server,receiving the first payment token;
      
      receiving the second and the third key identifiers;
      
      encrypting the first payment token with the encryption key associated with the second key identifier; and
      
      inputting the encrypted first payment token into a data record entry corresponding to the first payment token, said entry further corresponding to the second key identifier, where the first and second key identifiers are numerically distinct and the first- and second encryption keys are numerically distinct.
  - 7. The method of claim 5 further comprising:
    - at the transaction server,determining if neither the first nor second key identifiers match either the third or fourth key identifiers, and in dependence thereon, requesting from a remote server and receiving from said remote server encrypted forms of the third decryption key and the fourth decryption key corresponding to the third and fourth key identifiers.
  - 8. The method of claim 7 further comprising:
    - preventing the key rotation and the rekeying until the system detects a condition that the request from said remote server step returns a null result instead of the third and fourth decryption keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lightspeed Commerce USA Incorporated
Original Assignee
Shopkeep.com Incorporated
Inventors
Abou-Nasr, Yasser, Boland, Michael
Primary Examiner(s)
Ebersman, Bruce I

Application Number

US13/798,832
Publication Number

US 20140279557A1
Time in Patent Office

1,868 Days
Field of Search

705 71
US Class Current
CPC Class Codes

G06Q 20/34 using cards, e.g. integrate...

G06Q 20/3829 involving key management

Method and system for secure key rotation

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for secure key rotation

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links