Hardening tokenization security and key rotation

摘要

A method of using a hardware security module and an adjunct application programming interface to harden tokenization security and encryption key rotation is disclosed. In various embodiments, the method comprises receiving encrypted data at a processor of a computer system, decrypting the encrypted data to cleartext in the processor, and issuing a unique token associated with the data.

主权项

1. A method comprising:
calling a ciphertext-to-ciphertext encryption function of an adjunct application programming interface (API), the ciphertext-to-ciphertext encryption function implemented in a hardware security module (HSM); accessing the HSM using the ciphertext-to-ciphertext encryption function of the adjunct API; receiving data from a database stored on a storage device external to the HSM; and performing key rotation of a first encrypted secret in the HSM using the ciphertext-to-ciphertext encryption function, the first encrypted secret received from the database, wherein the performing the key rotation comprises:
receiving the first encrypted secret at the HSM, wherein the first encrypted secret is encrypted with a first key;decrypting, using the ciphertext-to-ciphertext encryption function within the HSM, the first encrypted secret to produce cleartext;encrypting, using the ciphertext-to-ciphertext encryption function within the HSM, the cleartext using a second key to create a second encrypted secret;storing the second encrypted secret in the database;updating a flag in the database to result in an updated flag, the updated flag indicating that the second encrypted secret is to be used for cryptographic operations; andstoring an association between the first encrypted secret and the second encrypted secret in the database, the association is used to backfill a missing first encrypted secret in the database based at least in part on the second encrypted secret in the database.