Key rotation for sensitive data tokenization
US-11849036-B2 · Dec 19, 2023 · US
Key rotation for sensitive data tokenization
US12088710B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12088710-B2 |
| Application number | US-202318490843-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 20, 2023 |
| Priority date | Sep 24, 2019 |
| Publication date | Sep 10, 2024 |
| Grant date | Sep 10, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for performing a search operation, the method comprising: within a data layer that has a data store and that provides data services to external client applications: receiving a request to search the data store for a query value; identifying first and second keys, a first column of the data store holding a first encrypted value that was encrypted with the first key, and a second column of the data store holding a second encrypted value that was encrypted with the second key; selecting one of the first and second keys based at least in part on a difference in time between a current date-time and a date-time of a prior key rotation; upon selection of the first key, encrypting the query value using the first key, and constructing a first search command with the encrypted query value to be applied to at least one of the first and second columns, executing the first search command, and returning a result based thereon in response to the request to search the data store; and, upon selection of the second key, encrypting the query value using the second key, and constructing a second search command with the encrypted query value to be applied to at least one of the first and second columns, executing the second search command, and returning a result based thereon in response to the request to search the data store. 2. The method of claim 1 , wherein the first and second keys are each time-limited keys. 3. The method of claim 1 , wherein the date-time of the prior key rotation is a date-time of a most recent key rotation in the data layer. 4. The method of claim 1 , wherein the selecting one of the first and second keys based at least in part on the difference in time between the current date-time and the date-time of a prior key rotation, comprises: if the difference is greater than a maximum data lifetime in the data layer, selecting the first key; and, if the difference is less than the maximum data lifetime in the data layer, selecting the second key. 5. The method of claim 1 , wherein the first key comprises a current key and the second key comprises a prior key. 6. A system, comprising one or more computers having circuitry forming one or more processors and memory holding computer program instructions for execution on the one or more processors, the computer program instructions when executed causing the one or more computers to perform a search operation in response to receiving a request to search for a query value, the search operation comprising: within a data layer that has a data store and that provides data services to external client applications: identifying first and second keys, a first column of the data store holding a first encrypted value that was encrypted with the first key, and a second column of the data store holding a second encrypted value that was encrypted with the second key; selecting one of the first and second keys based at least in part on a difference in time between a current date-time and a date-time of a prior key rotation; upon selection of the first key, encrypting the query value using the first key, and constructing a first search command with the encrypted query value to be applied to at least one of the first and second columns, executing the first search command, and returning a result based thereon in response to the request to search the data store; and, upon selection of the second key, encrypting the query value using the second key, and constructing a second search command with the encrypted query value to be applied to at least one of the first and second columns, executing the second search command, and returning a result based thereon in response to the request to search the data store. 7. The system of claim 6 , wherein the first and second keys are each time-limited keys. 8. The system of claim 6 , wherein the date-time of the prior key rotation is a date-time of a most recent key rotation in the data layer. 9. The system of claim 6 , wherein the selecting one of the first and second keys based at least in part on the difference in time between the current date-time and the date-time of a prior key rotation, comprises: if the difference is greater than a maximum data lifetime in the data layer, selecting the first key; and, if the difference is less than the maximum data lifetime in the data layer, selecting the second key. 10. The system of claim 6 , wherein the first key comprises a current key and the second key comprises a prior key. 11. Non-transitory computer readable medium holding computer program instructions for execution on one or more hardware processors for performing a search operation, the computer program instructions comprising instructions for: within a data layer that has a data store and that provides data services to external client applications: receiving a request to search the data store for a query value; identifying first and second keys, a first column of the data store holding a first encrypted value that was encrypted with the first key, and a second column of the data store holding a second encrypted value that was encrypted with the second key; selecting one of the first and second keys based at least in part on a difference in time between a current date-time and a date-time of a prior key rotation; upon selection of the first key, encrypting the query value using the first key, and constructing a first search command with the encrypted query value to be applied to at least one of the first and second columns, executing the first search command, and returning a result based thereon in response to the request to search the data store; and, upon selection of the second key, encrypting the query value using the second key, and constructing a second search command with the encrypted query value to be applied to at least one of the first and second columns, executing the second search command, and returning a result based thereon in response to the request to search the data store.
Assignees
Inventors
Classifications
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
to features or functions of an application · CPC title
Key scheduling, i.e. generating round keys or sub-keys for block encryption · CPC title
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
Providing cryptographic facilities or services · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12088710B2 cover?
- This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key…
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0869. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 10 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).