Secure format-preserving encryption of data fields
First Claim
1. A computer-implemented method, comprising:
- extracting first key derivation data from one or more fields in a first row of data to be stored in a database, wherein the database comprises two or more rows of data;
generating, by a computer processor, a first encryption subkey by combining the first key derivation data with a static key;
encrypting one or more sensitive fields in the first row of data with format-preserving encryption using the first encryption subkey, wherein the one or more fields in the first row of data that are used for the first key derivation data remain unencrypted;
storing the first row of data, comprising the encrypted one or more sensitive fields, in the database, wherein the first encryption subkey is not stored in the database;
wherein one or more sensitive fields in each of the two or more rows of the database are encrypted using a respective unique encryption subkey for the row, and wherein the respective unique encryption subkey for each row is based on the static key and on a respective key derivation data for the row, wherein the respective key derivation data comprises a combination of a primary key of the row and a modification time of the row and wherein the primary key and modification time are unencrypted;
detecting a modification to the one or more fields of the first row used for the first key derivation data; and
re-encrypting the one or more sensitive fields of the first row, based on modified key derivation data in the one or more fields of the row used for the first key derivation data, responsive to the modification of the one or more fields used for the first key derivation data.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a computer-implemented method includes extracting first key derivation data from a first row of data to be stored in a database, where the database includes two or more rows of data. A first encryption subkey is generated, by a computer processor, by combining the first key derivation data with a static key. One or more sensitive fields in each row of the two or more rows of the database are encrypted using a unique corresponding encryption subkey for the row, and the first encryption subkey is unique to the first row among the two or more rows of the database. The one or more sensitive fields in the first row of data are encrypted with format-preserving encryption using the first encryption subkey. The first row of data, including the encrypted one or more sensitive fields, are stored in the database.
11 Citations
4 Claims
-
1. A computer-implemented method, comprising:
-
extracting first key derivation data from one or more fields in a first row of data to be stored in a database, wherein the database comprises two or more rows of data; generating, by a computer processor, a first encryption subkey by combining the first key derivation data with a static key; encrypting one or more sensitive fields in the first row of data with format-preserving encryption using the first encryption subkey, wherein the one or more fields in the first row of data that are used for the first key derivation data remain unencrypted; storing the first row of data, comprising the encrypted one or more sensitive fields, in the database, wherein the first encryption subkey is not stored in the database; wherein one or more sensitive fields in each of the two or more rows of the database are encrypted using a respective unique encryption subkey for the row, and wherein the respective unique encryption subkey for each row is based on the static key and on a respective key derivation data for the row, wherein the respective key derivation data comprises a combination of a primary key of the row and a modification time of the row and wherein the primary key and modification time are unencrypted; detecting a modification to the one or more fields of the first row used for the first key derivation data; and re-encrypting the one or more sensitive fields of the first row, based on modified key derivation data in the one or more fields of the row used for the first key derivation data, responsive to the modification of the one or more fields used for the first key derivation data. - View Dependent Claims (2, 3, 4)
-
Specification