This invention relates to cryptography and, more particularly, to preserving data formats during encryption and decryption of data using embedding of information in data strings.
Cryptographic systems are used to secure data in a variety of contexts. For example, encryption algorithms are used to encrypt sensitive information such as financial account numbers, Social Security Numbers, and other personal information. Sensitive data is sometimes encrypted prior to storage in a database.
The Payment Card Industry Data Security Standard (PCI DSS) and other data security regulations often require a cryptographic system to support key rollover in which encryption keys are periodically changed and a key version number is required to obtain the appropriate encryption key when decrypting encrypted data. Key rollover support therefore requires additional information (e.g., key version numbers) to be stored in a database.
In order to overcome difficulties with adding additional data fields to an existing database, conventional cryptographic systems sometimes embed extra information within the data itself. This can be accomplished by mapping the data to an expanded character space prior to encryption in order to create extra space in which the extra information is stored.
However, some database columns and applications can be inflexible about data format. For example, a US Social Security Number is often required be 9 decimal digits, and may even be stored in binary formats (such as Packed Decimal) that cannot support non-decimal digits and therefore cannot be mapped to an expanded character space.
Encryption techniques that encrypt and decrypt data without altering the format of the data are sometimes used to encrypt sensitive data while preserving the format of the sensitive data. However, it may be difficult to store additional information such as key version numbers while maintaining compatibility with inflexible data format restrictions.
It would therefore be desirable to provide improved methods for supporting encryption key rollover during format-preserving encryption and decryption of data.