Abstract: Format-preserving encryption and decryption processes are provided. The encryption and decryption processes may use a block cipher. A string that is to be encrypted or decrypted may be converted to a unique binary value. The block cipher may operate on the binary value. If the output of the block cipher that is produced is not representative of a string that is in the same format as the original string, the block cipher may be applied again. The block cipher may be repeatedly applied in this way during format-preserving encryption operations and during format-preserving decryption operations until a format-compliant output is produced. Selective access may be provided to portions of a string that have been encrypted using format-preserving encryption.

Abstract: Online ordering systems allow a user to submit sensitive information such as payment card information to a merchant in encrypted form. A payment card processor server may be used to provide the user's web browser with code for an encryption function, a cryptographic key, and a key identifier. The web browser may encrypt the payment card information by executing the encryption function and using the key. The encrypted payment card information may be supplied to the merchant over the internet. A key identifier that identifies which cryptographic key was used in encrypting the payment card information may be provided to the merchant without providing the merchant with access to the key. The merchant can forward the encrypted payment card information to the credit card processor server with the key identifier. The processor server can use the key identifier to obtain the key and decrypt the payment card information for authorization.

Abstract: Systems and methods are provided for securing payment card information. A user may present a payment card such as a credit card to point-of-sale equipment. The point-of-sale equipment may encrypt the payment card information. An encryption algorithm may be used that takes as inputs a first part of the payment card information, a tweak formed by a second part of the payment card information, and an encryption key. The encrypted payment card information may be conveyed to a gateway over a communications network. The gateway may identify which encryption algorithm was used in encrypting the payment card information and may re-encrypt the payment card information using a format preserving encryption algorithm. A network-based service may be used to remotely perform functions for the gateway.

Abstract: A data processing system is provided that includes applications, databases, encryption engines, and decryption engines. Encryption and decryption engines may be used to perform format-preserving encryption on data strings stored in a database. Applications may be used to embed information in data strings. Information may be embedded by using a character set that is larger than a character set being used by a data string. A data string may be converted into a larger character set, analogous to converting a number from a lower base to higher base. Such a conversion may shorten a data string, allowing information to be embedded as appended characters.

Abstract: A customer may provide a merchant with primary account number information in connection with a purchase transaction. The merchant may send an associated authorization request to a payment card processor. A tokenization server at the payment card processor may generate a token corresponding to the primary account number. To secure the token, the token may be encrypted at the payment card processor using a cryptographic key shared with the merchant. A structure preserving encryption algorithm may be used in encrypting the token. A processor identifier may be embedded in the encrypted version of the token during the structure preserving encryption operation. The merchant can use the shared key to decrypt the token and extract the processor identifier. A settlement request may be directed to the processor from the merchant to settle the transaction using the processor identifier.

Abstract: A system may include a point-of-sale system that gathers payment card track data from a payment card and a payment card gateway that processes the track data to authorize purchase transactions. The point-of-sale system may remove sensitive data such as a portion of a primary account number from the track data and may compress the removed data. The compressed version of the data may be appended to a discretionary field in the track data. The discretionary field may be encrypted following insertion of the compressed data. Track data that has been modified in this way may be conveyed to the payment gateway for processing.

Abstract: A system that supports cryptographic web services is provided. A program running on program computing equipment may call a local cryptographic function. A web services interface such as a simple object access protocol interface on the program computing equipment makes a corresponding remote cryptographic function call to a web services interface such as a simple object access protocol interface at a cryptographic web service over a communications network such as the internet. At the cryptographic web service, a cryptographic engine implements cryptographic operations such as encryption and decryption operations. After successful authentication of the calling program, the cryptographic engine produces results for the remotely cryptographic function and returns the results to the program over the communications network.

Abstract: Systems and methods are provided for securing payment card information. A user may present a payment card such as a credit card to point-of-sale equipment. The point-of-sale equipment may use a symmetric key to encrypt payment card information associated with the payment card. The symmetric key may be encrypted at the point-of-sale equipment using the identity-based-encryption (IBE) public key of a purchase transaction processor to produce a key transfer block. The key transfer block and the encrypted payment card information may be conveyed from the point-of-sale equipment to the purchase transaction processor over a communications network. At the purchase transaction processor, an IBE private key may be used to recover the symmetric key from the key transfer block. The symmetric key can be used to decrypt the encrypted payment card information for processing and re-encryption using a key associated with the purchase transaction processor.

Abstract: Format-preserving encryption and decryption processes are provided. The encryption and decryption processes may use a block cipher. A string that is to be encrypted or decrypted may be converted to a unique binary value. The block cipher may operate on the binary value. If the output of the block cipher that is produced is not representative of a string that is in the same format as the original string, the block cipher may be applied again. The block cipher may be repeatedly applied in this way during format-preserving encryption operations and during format-preserving decryption operations until a format-compliant output is produced. Selective access may be provided to portions of a string that have been encrypted using format-preserving encryption.

Abstract: Format preserving encryption (FPE) cryptographic engines are provided for performing encryption and decryption on strings. A plaintext string may be converted to ciphertext by repeated application of a format preserving encryption cryptographic algorithm. Following each application of the format preserving cryptographic algorithm, the resulting version of the string may be analyzed to determine whether desired string constraints have been satisfied. If the string constraints have not been satisfied, further applications of the format preserving cryptographic algorithm may be performed. If the string constraints have been satisfied, the current version of the string may be used as an output for the cryptographic engine.

Abstract: Key requests in a data processing system may include identifiers such as user names, policy names, and application names. The identifiers may also include validity period information indicating when corresponding keys are valid. When fulfilling a key request, a key server may use identifier information from the key request in determining which key access policies to apply and may use the identifier in determining whether an applicable policy has been satisfied. When a key request is authorized, the key server may generate a key by applying a one-way function to a root secret and the identifier. Validity period information for use by a decryption engine may be embedded in data items that include redundant information. Application testing can be facilitated by populating a test database with data that has been encrypted using a format-preserving encryption algorithm. Parts of a data string may be selectively encrypted based on their sensitivity.

Abstract: Online ordering systems allow a user to submit sensitive information such as payment card information to a merchant in encrypted form. A payment card processor server may be used to provide the user's web browser with code for an encryption function, a cryptographic key, and a key identifier. The web browser may encrypt the payment card information by executing the encryption function and using the key. The encrypted payment card information may be supplied to the merchant over the internet. A key identifier that identifies which cryptographic key was used in encrypting the payment card information may be provided to the merchant without providing the merchant with access to the key. The merchant can forward the encrypted payment card information to the credit card processor server with the key identifier. The processor server can use the key identifier to obtain the key and decrypt the payment card information for authorization.

Abstract: A system that supports cryptographic web services is provided. A program running on program computing equipment may call a local cryptographic function. A web services interface such as a simple object access protocol interface on the program computing equipment makes a corresponding remote cryptographic function call to a web services interface such as a simple object access protocol interface at a cryptographic web service over a communications network such as the internet. At the cryptographic web service, a cryptographic engine implements cryptographic operations such as encryption and decryption operations. After successful authentication of the calling program, the cryptographic engine produces results for the remotely cryptographic function and returns the results to the program over the communications network.

Abstract: Key requests in a data processing system may include identifiers such as user names, policy names, and application names. The identifiers may also include validity period information indicating when corresponding keys are valid. When fulfilling a key request, a key server may use identifier information from the key request in determining which key access policies to apply and may use the identifier in determining whether an applicable policy has been satisfied. When a key request is authorized, the key server may generate a key by applying a one-way function to a root secret and the identifier. Validity period information for use by a decryption engine may be embedded in data items that include redundant information. Application testing can be facilitated by populating a test database with data that has been encrypted using a format-preserving encryption algorithm. Parts of a data string may be selectively encrypted based on their sensitivity.

Abstract: A data processing system is provided that includes applications, databases, encryption engines, and decryption engines. Encryption and decryption engines may be used to perform format-preserving encryption on data strings stored in a database. Applications may be used to embed information in data strings. Information may be embedded by using a character set that is larger than a character set being used by a data string. A data string may be converted into a larger character set, analogous to converting a number from a lower base to higher base. Such a conversion may shorten a data string, allowing information to be embedded as appended characters.

Abstract: Format preserving encryption (FPE) cryptographic engines are provided for performing encryption and decryption on strings. A plaintext string may be converted to ciphertext by repeated application of a format preserving encryption cryptographic algorithm. Following each application of the format preserving cryptographic algorithm, the resulting version of the string may be analyzed to determine whether desired string constraints have been satisfied. If the string constraints have not been satisfied, further applications of the format preserving cryptographic algorithm may be performed. If the string constraints have been satisfied, the current version of the string may be used as an output for the cryptographic engine.

Abstract: A user who is browsing the web may use a web site verification service to ascertain whether a web site that appears to be associated with a trusted entity is actually associated with that entity. The web site verification service retains the URL of an unauthenticated web site. The user types a text string naming the entity that the user believes should be associated with the web site into a text box. A database such as an internet search engine database or a database containing a list of trusted entities and their URLs may be queried using the user-supplied text string. The retained URL may be compared to the resulting list of URLs. If the retained URL does not match one of the URLs in the query results, the user may be warned that the web site does not appear to be associated with the trusted entity.

Abstract: Key requests in a data processing system may include identifiers such as user names, policy names, and application names. The identifiers may also include validity period information indicating when corresponding keys are valid. When fulfilling a key request, a key server may use identifier information from the key request in determining which key access policies to apply and may use the identifier in determining whether an applicable policy has been satisfied. When a key request is authorized, the key server may generate a key by applying a one-way function to a root secret and the identifier. Validity period information for use by a decryption engine may be embedded in data items that include redundant information. Application testing can be facilitated by populating a test database with data that has been encrypted using a format-preserving encryption algorithm. Parts of a data string may be selectively encrypted based on their sensitivity.

Abstract: A data processing system is provided that includes applications, databases, encryption engines, and decryption engines. Encryption and decryption engines may be used to perform format-preserving encryption on data strings stored in a database. Applications may be used to embed information in data strings. Information may be embedded by using a character set that is larger than a character set being used by a data string. A data string may be converted into a larger character set, analogous to converting a number from a lower base to higher base. Such a conversion may shorten a data string, allowing information to be embedded as appended characters.

Abstract: Format preserving encryption (FPE) cryptographic engines are provided for performing encryption and decryption on strings. A plaintext string may be converted to ciphertext by repeated application of a format preserving encryption cryptographic algorithm. Following each application of the format preserving cryptographic algorithm, the resulting version of the string may be analyzed to determine whether desired string constraints have been satisfied. If the string constraints have not been satisfied, further applications of the format preserving cryptographic algorithm may be performed. If the string constraints have been satisfied, the current version of the string may be used as an output for the cryptographic engine.