Key rotation for sensitive data tokenization
US-11381393-B2 · Jul 5, 2022 · US
Key rotation for sensitive data tokenization
US11849036B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11849036-B2 |
| Application number | US-202217808327-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 23, 2022 |
| Priority date | Sep 24, 2019 |
| Publication date | Dec 19, 2023 |
| Grant date | Dec 19, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for performing a read operation in a data store of a data layer, the method comprising: within the data layer providing data services to external client applications: receiving a request for a field; identifying first and second columns in the data store associated with the field, the first column holding a first encrypted value that was encrypted with a first key, and the second column holding a second encrypted value that was encrypted with a second key; selecting one of the first and second columns to read based at least in part on a difference in time between a current date-time and a date-time of a prior key rotation; upon selection of the first column, ignoring the second column, decrypting the first encrypted value using the first key, and sending the result in a response to the request for the field; and, upon selection of the second column, ignoring the first column, decrypting the second encrypted value using the second key rather, and sending the result in a response to the request for the field. 2. The method of claim 1 , wherein the first and second keys are each time-limited keys. 3. The method of claim 1 , wherein the date-time of the prior key rotation is a date-time of a most recent key rotation in the data layer. 4. The method of claim 1 , wherein the selecting one of the first and second columns to read, based at least in part on the difference in time between the current date-time and the date-time of a prior key rotation, comprises: if the difference is greater than a maximum data lifetime in the data layer, selecting the first column; and, if the difference is less than the maximum data lifetime in the data layer, selecting the second column. 5. The method of claim 1 , wherein the first key comprises a current key and the second key comprises a prior key. 6. A system, comprising one or more computers having circuitry forming one or more processors and memory holding computer program instructions for execution on the one or more processors to form a data layer that has a data store, the computer program instructions when executed causing the one or more computers to perform a read operation, the read operation comprising: within the data layer, which provides data services to external client applications: receive a request for a field; identify first and second columns in the data store associated with the field, the first column holding a first encrypted value that was encrypted with a first key, and the second column holding a second encrypted value that was encrypted with a second key; select one of the first and second columns to read based at least in part on a difference in time between a current date-time and a date-time of a prior key rotation; upon selection of the first column, ignore the second column, decrypting the first encrypted value using the first key, and sending the result in a response to the request for the field; and, upon selection of the second column, ignore the first column, decrypting the second encrypted value using the second key rather, and sending the result in a response to the request for the field. 7. The system of claim 6 , wherein the first and second keys are each time-limited keys. 8. The system of claim 6 , wherein the date-time of the prior key rotation is a date-time of a most recent key rotation in the data layer. 9. The system of claim 6 , wherein the selection one of the first and second columns to read, based at least in part on the difference in time between the current date-time and the date-time of a prior key rotation, comprises: if the difference is greater than a maximum data lifetime in the data layer, selecting the first column; and, if the difference is less than the maximum data lifetime in the data layer, selecting the second column. 10. The system of claim 6 , wherein the first key comprises a current key and the second key comprises a prior key.
Assignees
Inventors
Classifications
- H04L9/0869Primary
involving random numbers or seeds · CPC title
to features or functions of an application · CPC title
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
Key scheduling, i.e. generating round keys or sub-keys for block encryption · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11849036B2 cover?
- This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key…
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0869. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 19 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).