Abstract: Embodiments of the present disclosure relate to vaultless format-preserving tokenization systems and methods. Some methods include encoding a first data set to produce encoded input data; generating a secure tweak for the encoded input data based on a token format schema by: encoding a tweak input to produce an encoded tweak input; and hashing the encoded tweak input along with a unique hashing key to generate the secure tweak; applying a format preserving encryption algorithm that utilizes the encoded input data, the secure tweak, and a unique encryption key to generate ciphertext output; and generating a token from the ciphertext output.

Abstract: Exemplary embodiments include methods performed by a cellular Internet of Things, CIoT, user equipment, UE, for transmission of data in a communication network comprising a radio access network, RAN, and a core network, CN. Embodiments include sending, to an Access and Mobility Management Function, AMF, a request to establish a small-data user-plane, SDUP, data session. Embodiments can also include receiving a response indicating that the requested SDUP data session is established. The response can include an identifier associated with a user-plane function, UPF, within the CN, that supports the established SDUP data session. The response can also include an SDUP security configuration for communication between the UE and the CN during the established SDUP data session. Embodiments can also include subsequently communicating user data, associated with the established SDUP data session, with the UPF via a serving node in the RAN.

Abstract: A method for distributed tokenization of sensitive strings of characters, such as social security numbers, credit card numbers and the like, in a local server is disclosed. The method comprises the steps of receiving from a central server at least one, and preferably at least two, static token lookup tables, and receiving a sensitive string of characters. In a first tokenization step, a first sub string of characters is substituted with a corresponding first token from the token lookup table(s) to form a first tokenized string of characters, wherein the first sub string of characters is a substring of the sensitive string of characters. Thereafter, in a second step of tokenization, a second sub string of characters is substituted with a corresponding second token from the token lookup table(s) to form a second tokenized string of characters, wherein the second substring of characters is a substring of the first tokenized string of characters. Optionally, one or more additional tokenization steps is/are used.

Abstract: Embodiments of the present disclosure relate to vaultless format-preserving tokenization systems and methods. Some methods include encoding a first data set to produce encoded input data; generating a secure tweak for the encoded input data based on a token format schema by: encoding a tweak input to produce an encoded tweak input; and hashing the encoded tweak input along with a unique hashing key to generate the secure tweak; applying a format preserving encryption algorithm that utilizes the encoded input data, the secure tweak, and a unique encryption key to generate ciphertext output; and generating a token from the ciphertext output.

Abstract: A method for distributed tokenization of sensitive strings of characters, such as social security numbers, credit card numbers and the like, in a local server is disclosed. The method comprises the steps of receiving from a central server at least one, and preferably at least two, static token lookup tables, and receiving a sensitive string of characters. In a first tokenization step, a first substring of characters is substituted with a corresponding first token from the token lookup table(s) to form a first tokenized string of characters, wherein the first substring of characters is a substring of the sensitive string of characters. Thereafter, in a second step of tokenization, a second substring of characters is substituted with a corresponding second token from the token lookup table(s) to form a second tokenized string of characters, wherein the second substring of characters is a substring of the first tokenized string of characters. Optionally, one or more additional tokenization steps is/are used.

Abstract: Embodiments of the present disclosure relate to vaultless format-preserving tokenization systems and methods. Some methods include encoding a first data set to produce encoded input data; generating a secure tweak for the encoded input data based on a token format schema by: encoding a tweak input to produce an encoded tweak input; and hashing the encoded tweak input along with a unique hashing key to generate the secure tweak; applying a format preserving encryption algorithm that utilizes the encoded input data, the secure tweak, and a unique encryption key to generate ciphertext output; and generating a token from the ciphertext output.

Abstract: Database entries can be protected by indexing the entries using a plurality of indexes, each associated with a level of access rights. A level of access rights can be determined from a search query, and an index can be selected based on the determined level of access rights. A search key can be generated based on the received query, and the selected index can be searched using the search query. Database entries mapped to the values of the selected index returned in response to the search can be outputted. Each index is associated with a different granularity defining the number and/or ambiguity of search results returned in response to searching an index.

Abstract: Database entries can be protected by indexing the entries using a plurality of indexes, each associated with a level of access rights. A level of access rights can be determined from a search query, and an index can be selected based on the determined level of access rights. A search key can be generated based on the received query, and the selected index can be searched using the search query. Database entries mapped to the values of the selected index returned in response to the search can be outputted. Each index is associated with a different granularity defining the number and/or ambiguity of search results returned in response to searching an index.

Abstract: New tokenization tables are derived at intervals in order to increase the security of tokenized data that is transferred between two endpoints. Generation of the new tokenization tables is based on previous tokenization tables, which advantageously allows the generation process to be performed locally at the two endpoints independently of an external tokenization table provider. New tokenization tables can periodically be distributed to the endpoints as a new starting point for derivation.

Abstract: Exemplary embodiments include methods performed by a cellular Internet of Things, CIoT, user equipment, UE, for transmission of data in a communication network comprising a radio access network, RAN, and a core network, CN. Embodiments include sending, to an Access and Mobility Management Function, AMF, a request to establish a small-data user-plane, SDUP, data session. Embodiments can also include receiving a response indicating that the requested SDUP data session is established. The response can include an identifier associated with a user-plane function, UPF, within the CN, that supports the established SDUP data session. The response can also include an SDUP security configuration for communication between the UE and the CN during the established SDUP data session. Embodiments can also include subsequently communicating user data, associated with the established SDUP data session, with the UPF via a serving node in the RAN.

Abstract: A tokenization system tokenizes sensitive data to prevent unauthorized entities from accessing the sensitive data. The tokenization system accesses sensitive data, and retrieves an initialization vector (IV) from an IV table using a first portion of the sensitive data. A second portion of the sensitive data is modified using the accessed initialization vector. A token table is selected from a set of token tables using a third portion of the sensitive data. The modified second portion of data is used to query the selected token table, and a token associated with the value of the modified second portion of data is accessed. The second portion of the sensitive data is replaced with the accessed token to form tokenized data.

Abstract: New tokenization tables are derived at intervals in order to increase the security of tokenized data that is transferred between two endpoints. Generation of the new tokenization tables is based on previous tokenization tables, which advantageously allows the generation process to be performed locally at the two endpoints independently of an external tokenization table provider. New tokenization tables can periodically be distributed to the endpoints as a new starting point for derivation.

Abstract: A gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and is configured to receive encoded data and a set of operations from the server device in response to a request for cloud services from the client device. The gateway device is configured to decode the encoded data, and to provide the decoded data and the set of operations to the client device. The client device is configured to perform the set of operations on the decoded data, and to incorporate the operation results into an application or interface corresponding to the requested cloud service. The gateway device is configured to encode the operation result data, and to provide the encoded operation result data to the server device for storage.

Abstract: A tokenization system tokenizes sensitive data to prevent unauthorized entities from accessing the sensitive data. The tokenization system accesses sensitive data, and retrieves an initialization vector (IV) from an IV table using a first portion of the sensitive data. A second portion of the sensitive data is modified using the accessed initialization vector. A token table is selected from a set of token tables using a third portion of the sensitive data. The modified second portion of data is used to query the selected token table, and a token associated with the value of the modified second portion of data is accessed. The second portion of the sensitive data is replaced with the accessed token to form tokenized data.

Abstract: A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.

Abstract: A gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and is configured to receive encoded data and a set of operations from the server device in response to a request for cloud services from the client device. The gateway device is configured to decode the encoded data, and to provide the decoded data and the set of operations to the client device. The client device is configured to perform the set of operations on the decoded data, and to incorporate the operation results into an application or interface corresponding to the requested cloud service. The gateway device is configured to encode the operation result data, and to provide the encoded operation result data to the server device for storage.

Abstract: A method for distributed tokenization of sensitive strings of characters, such as social security numbers, credit card numbers and the like, in a local server is disclosed. The method comprises the steps of receiving from a central server at least one, and preferably at least two, static token lookup tables, and receiving a sensitive string of characters. In a first tokenization step, a first substring of characters is substituted with a corresponding first token from the token lookup table(s) to form a first tokenized string of characters, wherein the first sub string of characters is a substring of the sensitive string of characters. Thereafter, in a second step of tokenization, a second sub string of characters is substituted with a corresponding second token from the token lookup table(s) to form a second tokenized string of characters, wherein the second substring of characters is a substring of the first tokenized string of characters. Optionally, one or more additional tokenization steps is/are used.

Abstract: A method for distributed tokenization of sensitive strings of characters, such as social security numbers, credit card numbers and the like, in a local server is disclosed. The method comprises the steps of receiving from a central server at least one, and preferably at least two, static token lookup tables, and receiving a sensitive string of characters. In a first tokenization step, a first substring of characters is substituted with a corresponding first token from the token lookup table(s) to form a first tokenized string of characters, wherein the first substring of characters is a substring of the sensitive string of characters. Thereafter, in a second step of tokenization, a second substring of characters is substituted with a corresponding second token from the token lookup table(s) to form a second tokenized string of characters, wherein the second substring of characters is a substring of the first tokenized string of characters. Optionally, one or more additional tokenization steps is/are used.

Abstract: Handling a plurality of Presence Reporting Areas, PRAs, may currently present inconsistencies between the PRAs active in a policy controller and those PRAs active in a network node handling UE mobility, e.g. MME/SGSN. To overcome these and other drawbacks, there are provided enhanced policy controller, network node and method of handling a plurality of PRAs. This method comprises selecting, at the policy controller, a plurality of applicable PRAs; transmitting from the policy controller, and receiving at the network node, the plurality of applicable PRAs; selecting, at the network node from the plurality of applicable PRAs, a number of PRAs to be active at the network node; and transmitting from the network node, and receiving at the policy controller, at least one of: an indication on whether a UE is inside or outside a PRA, and an indication on whether a PRA is or is not accepted to be active by the network node.

Abstract: The embodiments herein relate to a method in a wireless device (101) for enabling trusted communication between a wireless device entity (101a) and a second network node (105) via a first network node (103). The wireless device (101) and the first network node (103) are adapted to communicate using a secure communication channel. The wireless device (101) transmits a message to the first network node (103) using the secure communication channel. The message comprises information indicating that the wireless device entity (101a) is comprised in a trusted zone of the wireless device (101). The trusted zone is at least partly trusted by the first network node (103).