49 results about "Format-preserving encryption" patented technology

A data processing system is provided that includes applications, databases, encryption engines, and decryption engines. Encryption and decryption engines may be used to perform format-preserving encryption on data strings stored in a database. Applications may be used to embed information in data strings. Information may be embedded by using a character set that is larger than a character set being used by a data string. A data string may be converted into a larger character set, analogous to converting a number from a lower base to higher base. Such a conversion may shorten a data string, allowing information to be embedded as appended characters.

A data processing system is provided that includes format-preserving encryption and decryption engines. A string that contains characters has a specified format. The format defines a legal set of character values for each character position in the string. During encryption operations with the encryption engine, a string is processed to remove extraneous characters and to encode the string using an index. The processed string is encrypted using a format-preserving block cipher. The output of the block cipher is post-processed to produce an encrypted string having the same specified format as the original unencrypted string. During decryption operations, the decryption engine uses the format-preserving block cipher in reverse to transform the encrypted string into a decrypted string having the same format.

Methods and systems are described for format-preserving encryption. Format-preserving encryption on an entire format F may be achieved by performing format-preserving encryption on one or more subsets of F and then applying one or more permutation rounds in such a way that all elements of F enter a subset to be encrypted. A predetermined number of encryption rounds and a predetermined number of permutation rounds may be interleaved until all elements are thoroughly mixed. The resultant output data may be saved in a database in the same format as the original input data, meet all constraints of the database, and pass all validity checks applied by software supporting the database.

A data processing system is provided that includes applications, databases, encryption engines, and decryption engines. Encryption and decryption engines may be used to perform format-preserving encryption on data strings stored in a database. Encryption and decryption engines may include embedded-format-preserving encryption and decryption engines. Embedded-format-preserving encryption engines may be used to encrypt data strings and embed information in data strings. Information corresponding to a format-preserving encryption operation of a data string may be embedded in an associated data string. The associated data string may be encrypted before or after embedding the information in the associated data string. The embedded information may include key management data that corresponds to a managed encryption key that was used to encrypt the data string.

Format-preserving encryption and decryption processes are provided. The encryption and decryption processes may use a block cipher. A string that is to be encrypted or decrypted may be converted to a unique binary value. The block cipher may operate on the binary value. If the output of the block cipher that is produced is not representative of a string that is in the same format as the original string, the block cipher may be applied again. The block cipher may be repeatedly applied in this way during format-preserving encryption operations and during format-preserving decryption operations until a format-compliant output is produced. Selective access may be provided to portions of a string that have been encrypted using format-preserving encryption.

A variable-length block cipher apparatus and method capable of format preserving encryption are provided. An encryption device for a variable-length block cipher apparatus includes an encryption key generation unit configured to generate encryption round keys eRK₀, eRK₁, . . . , eRK_Nr using a secret key and the number of rounds Nr, and a ciphertext output unit configured to output ciphertext having a length identical to that of plaintext using the plaintext and the encryption round keys. 7. A decryption device for a variable-length block cipher apparatus includes a decryption key generation unit configured to generate decryption round keys dRK₀, dRK₁, . . . , dRK_Nr using a secret key and a number of rounds Nr, and a plaintext restoration unit configured to restore ciphertext into plaintext having a length identical to that of the ciphertext using the ciphertext and the decryption round keys.

Format-preserving encryption and decryption processes are provided. The encryption and decryption processes may use a block cipher. A string that is to be encrypted or decrypted may be converted to a unique binary value. The block cipher may operate on the binary value. If the output of the block cipher that is produced is not representative of a string that is in the same format as the original string, the block cipher may be applied again. The block cipher may be repeatedly applied in this way during format-preserving encryption operations and during format-preserving decryption operations until a format-compliant output is produced. Selective access may be provided to portions of a string that have been encrypted using format-preserving encryption.

The invention provides an implementation mode of an extensible format-preserving encryption method, which comprises the following steps: firstly, judging the type of a field to be encrypted in a usersensitive information database, determining whether the field belongs to a common message space or not, and if so, according to a character set identifier of data, acquiring a specific character set in a common message space defined in the program in advance; and if not, expanding a new message space, and obtaining a newly-added character set; mapping plaintext character strings needing to be encrypted through the character sets obtained respectively, and encoding the plaintext character strings into plaintext numeric strings; encrypting to obtain a ciphertext numeric string; and finally, selecting a character set of the message space according to the character set identifier, and performing inverse mapping on the encrypted ciphertext numeric string to obtain ciphertext character strings with the same format, thereby finishing encryption. By defining and configuring the message space, the configurable and extensible FPE message space is realized, the new message space does not need tobe adapted by modifying a bottom layer code, and the practicability of the FPE encryption method is improved.

Systems, apparatuses, and methods are provided for fast format-preserving encryption. An input string can be divided into blocks (potentially of varying length). An arrangement of cryptographic pipelines can perform operations on different blocks, each pipeline providing an output block. The cryptographic pipelines can interact such that the output blocks are dependent on each other, thereby providing strong encryption. The pipelines can operate efficiently on the block and operations can occur partly in parallel.

The invention relates to the field of information security, in particular to an information identification system and an information identification method. The information identification system comprises transaction platforms, a gateway, a payment platform, a secret key management platform, a first FPE (format preserving encryption) encryptor and a second FPE encryptor, wherein each transaction platform is used for acquiring sensitive information and generating and sending a transaction request, the gateway is connected with the transaction platforms and used for providing an access port for the transaction platforms, the payment platform is connected with the gateway and used for achieving payment for the transaction request, the secret key management platform is connected with the payment platform and used for managing and assigning secret key information of the transaction platforms, the first FPE encryptor is connected with the gateway and used for achieving identification of the sensitive information in the transaction request, and the second FPE encryptor is connected with the secret key management platform and used for decrypting the sensitive information subjected to identification. The information identification system centers on the secret key management platform, secret keys are distributed to each transaction platform, and the sensitive information is encrypted by FPE, so that no change on data length during sensitive information transmission is guaranteed, and security of the sensitive information is ensured.

[Subject] To provide a format-preserving encryption device and the like that enables efficient and secure encryption/decryption while maintaining the data format.

[Solution] An encryption device 10 includes: an unit block tweakable encryption module 101 that encrypts a specific digit of a plain text by using numerical values of remaining respective digits excluding the specific digit of the plain text and an external tweak that is input concurrently with the plain text; a block permutation module 102 that permutates respective digits including the encrypted specific digit of the plain text per digit based on a predetermined rule; and a counter update module 103 that causes processing by the unit block tweakable encryption unit and the block permutation unit to repeat for a predetermined number of times. A decryption device 20 performs the reverse processing to the encryption device 10.