	US 11,784,798 B2
	System, method, and computer program product for data security
Sivanarayana Gaddam, Santa Clara, CA (US); Yogesh Lokhande, Karnataka (IN); and Biju Abraham, Fremont, CA (US)
Assigned to Visa International Service Association, San Francisco, CA (US)
Filed by Visa International Service Association, San Francisco, CA (US)
Filed on Mar. 30, 2021, as Appl. No. 17/217,257.
Prior Publication US 2022/0321327 A1, Oct. 6, 2022
Int. Cl. H04L 29/06 (2006.01); H04L 9/08 (2006.01); H04L 9/06 (2006.01); H04L 9/30 (2006.01)

CPC H04L 9/0822 (2013.01) [H04L 9/0643 (2013.01); H04L 9/30 (2013.01)]

18 Claims

1. A computer-implemented method comprising:

storing, with at least one processor, in memory, a plurality of ciphers (C₁, C₂, . . . C_n) in association with a plurality of public keys (PK₁, PK₂, PK_n), wherein the plurality of ciphers (C₁, C₂, . . . C_n) includes a plurality of secret keys (SK₁, SK₂, SK_n) encrypted with a key encryption key (KEK), and wherein the plurality of secret keys (SK₁, SK₂, SK_n) correspond to the plurality of public keys (PK₁, PK₂, PK_n);

receiving, with at least one processor, a data chunk (M_i) for encryption;

generating, with at least one processor, a data encryption key (DEK) based on a hash function (H), a public key (PK₁) of the plurality of public keys (PK₁, PK₂, PK_n), and a random number (R);

encrypting, with at least one processor, the data chunk (M_i) with the DEK to generate an encrypted data chunk (C_Mi);

generating, with at least one processor, a header (Hdr) including a cipher (C_i) of the plurality of ciphers (C₁, C₂, . . . C_n) corresponding to the public key (PK₁) of the plurality of public keys (PK₁, PK₂, PK_n) and key encapsulation data;

storing, with at least one processor, in a database, a cipher text (CT) including the header (Hdr) and the encrypted data chunk (C_Mi);

receiving, with at least one processor, a request to decrypt the cipher text (CT);

in response to receiving a request to decrypt the cipher text (CT), providing, with at least one processor, to a hardware security module (HSM), the cipher (C_i);

receiving, with at least one processor, from the HSM, a secret key (SK₁) of the plurality of secret keys (SK₁, SK₂, SK_n) that corresponds to the public key (PK₁) of the plurality of public keys (PK₁, PK₂, PK_n) used to generate the DEK used to generate the encrypted data chunk (C_Mi);

deriving, with at least one processor, based on the secret key (SK₁) received from the HSM and the key encapsulation data, the DEK used to generate the encrypted data chunk (C_Mi); and

providing, with at least one processor, the derived DEK for decrypting the encrypted data chunk (C_Mi) to obtain the data chunk (M_i).