FORMAT-PRESERVING CRYPTOGRAPHIC SYSTEMS

摘要

Key requests in a data processing system may include identifiers such as user names, policy names, and application names. The identifiers may also include validity period information indicating when corresponding keys are valid. When fulfilling a key request, a key server may use identifier information from the key request in determining which key access policies to apply and may use the identifier in determining whether an applicable policy has been satisfied. When a key request is authorized, the key server may generate a key by applying a one-way function to a root secret and the identifier. Validity period information for use by a decryption engine may be embedded in data items that include redundant information. Application testing can be facilitated by populating a test database with data that has been encrypted using a format-preserving encryption algorithm. Parts of a data string may be selectively encrypted based on their sensitivity.

主权项

1. A method for testing applications that access a test database in a test environment before using the applications to access a production database in a production environment, the method comprising:
at computing equipment, generating encrypted data by encrypting sensitive data in the production database using a format-preserving encryption algorithm; with the computing equipment, exporting the encrypted data from the production database to the test database; and at the computing equipment, testing the applications by using the applications in the test environment to access the encrypted data in the test database, wherein encrypting the sensitive data in the production database comprises encrypting credit card numbers in the production database using the format-preserving encryption algorithm, wherein encrypting the credit card numbers in the production database comprises:
obtaining an unencrypted credit card number at the production database; andremoving only a checksum digit from the unencrypted credit card number.