Patent Issued for Differential client-side encryption of information originating from a client (USPTO 11477180): PayPal Inc.

2022 NOV 07 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Alexandria, Virginia, by NewsRx journalists, a patent by the inventors Manges, Daniel (Chicago, IL, US), filed on March 3, 2020, was published online on October 18, 2022.

The assignee for this patent, patent number 11477180, is PayPal Inc. (San Jose, California, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “Information such as personal data and other sensitive information may be passed across a network such as the Internet, for example to provide credential information, payment information, or personal account management information. To protect sensitive information, the information can be transmitted over a secure transmission connection, such as Transport Layer Security (TLS) or Secure Socket Layer (SSL).

“To secure information from unauthorized review, the information can be digitally encrypted. One example of digital encryption is public key cryptography. In the public key cryptography scheme, two separate but mathematically-connected keys (e.g., numeric values) are used to secure the information. The first, a public key, is used to encrypt the data using an encryption algorithm. The second, a private key, can be used by the receiver of the data to decrypt the encrypted information. The receiver supplies the sender with the public key such that the sender is capable of securely transmitting information to the receiver.

“The receiver of sensitive information may be obligated to secure the privacy of the user from unauthorized access to the sensitive information. Information may be sensitive if the information is confidential (e.g., industry and/or professional standards indicate that only designated parties should have access to the information). Information may be sensitive if a party incurs regulatory obligations for handling the information due to exposure to the information. Information may be sensitive if a party incurs potential liability due to handling of and/or exposure to the information.

“The receiver of the sensitive information, in some circumstances, may request the sensitive information from the user, not for use by the requestor, but for processing by a third party, such as a credit card system or a health insurance authorization system. There is a desire for a method and apparatus capable of enabling the conveyance of sensitive information through the system of the requestor without the requestor having access to the contents of the conveyance. If the requestor is incapable of rendering and/or interpreting the sensitive information, the requestor may avoid obligation to protect the sensitive information.”

In addition to obtaining background information on this patent, NewsRx editors also obtained the inventors’ summary information for this patent: “In one aspect, the present disclosure is directed to a method including allocating, by a processor of a first computing device, a number of public keys, where each respective public key of the number of public keys is allocated to a respective entity of a number of entities. The method may include storing, in a memory of the first computing device, a number of private keys, where each respective private key of the number of private keys corresponds to a respective public key of the number of public keys. The method may include storing, in the memory of the first computing device, one or more decryption algorithms, where each respective decryption algorithm of the one or more decryption algorithms is configured to decrypt data previously encrypted using at least one encryption algorithm of one or more encryption algorithms. Each respective encryption algorithm of the one or more encryption algorithms may be configured to encrypt data using at least one public key of the number of public keys. Each respective decryption algorithm of the one or more decryption algorithms may be configured to decrypt data using at least one private key of the number of private keys. The method may include receiving encrypted data, where the encrypted data is encrypted using a first public key of the number of public keys and a first encryption algorithm of the one or more encryption algorithms, and the encrypted data is provided over a network. The method may include determining, by the processor of the first computing device, a first private key of the number of private keys, where the first private key corresponds to the first public key, and the first public key is allocated to a first entity of the number of entities. The method may include decrypting, by the processor of the first computing device, the encrypted data using the first private key and at least one decryption algorithm of the one or more decryption algorithms, where decrypted data is obtained by decrypting the encrypted data. The method may include providing a portion of the decrypted data for processing by a processing engine, where a second computing device includes the processing engine. The method may include receiving a processing result generated by the processing engine, where the processing result relates to the portion of the decrypted data. The method may include providing, over the network, the processing result to the first entity.

“In some embodiments, the method may further include, prior to providing the portion of the decrypted data for processing by the processing engine, queuing, by the processor of the first computing device, the decrypted data for processing.

“The method may further include, prior to receiving the encrypted data, receiving a download request for the first encryption algorithm, where the download request is received across the network from a third computing device, and providing the first encryption algorithm, via the network, to the third computing device. The download request may include a hypertext transfer protocol request. The method may include storing, in the memory of the first computing device, the one or more encryption algorithms as one or more encryption subprograms, where providing the first encryption algorithm includes providing a first encryption subprogram of the one or more encryption subprograms, where the first encryption subprogram includes the first encryption algorithm. The first encryption subprogram may include runtime interpreted instructions.

“In some embodiments, the method may include storing at least one of the decrypted data and the encrypted data in a storage archive accessible to the first computing device. The method may include receiving, over the network, unencrypted data, where the unencrypted data is related to the encrypted data, and providing a portion of the unencrypted data for processing by the processing engine, where the portion of the unencrypted data is provided with the portion of the decrypted data.

“In some embodiments, the method may further include receiving, over the network, an indication of a type of processing to be performed on the encrypted data, where the indication of the type of processing is provided by a third computing device controlled by the first entity. The type of processing may include at least one of a credit card authorization and a background check. The encrypted data may include one or more of credit card information, medical history information, Social Security number, bank account number, and driver’s license number. The encrypted data may be provided over the network from a third computing device controlled by the first entity, and the first entity may be incapable of decrypting the encrypted data.”

The claims supplied by the inventors are:

“1. A data computer system, comprising: one or more processors; a network interface device; and a non-transitory computer-readable medium having stored thereon instructions that are executable by the one or more processors to cause the data computer system to perform operations comprising: receiving encrypted data corresponding to an electronic transaction between a user of a client device and a second entity that is not a controlling entity of the data computer system, wherein the electronic transaction was initiated by the client device, and wherein the encrypted data was encrypted by the client device using a public key allocated to the second entity by the data computer system; accessing a private key that is paired to the public key allocated to the second entity, wherein the private key is one of a plurality of private keys stored in an electronic storage system accessible by the data computer system; decrypting the encrypted data using the private key to obtain decrypted data corresponding to the electronic transaction; and providing, via the network interface device, a processing result for the electronic transaction, wherein the processing result is based on at least a portion of the decrypted data.

“2. The system of claim 1, wherein the operations further comprise storing a data package including the processing result in the electronic storage system.

“3. The system of claim 1, wherein the providing the processing result includes transmitting the processing result, via the network interface device, to an entity computer system that is separate from the data computer system.

“4. The system of claim 1, wherein the operations further comprise: receiving a notification regarding a success or a failure of the electronic transaction from an entity computer system based on the processing result; and transmitting the notification to the client device.

“5. The system of claim 1, wherein the encrypted data is received via a web interface of the data computer system.

“6. The system of claim 1, wherein the processing result indicates an identity of at least one of the user or the second entity.

“7. The system of claim 1, wherein the encrypted data is received via an application program interface (API) that has at least one parameter for specifying one or more encryption keys in an API call.

“8. A method, comprising: receiving, at a data computer system, encrypted data corresponding to an electronic transaction between a user of a client device and a second entity that is not a controlling entity of the data computer system, wherein the electronic transaction was initiated by the client device, and wherein the encrypted data was encrypted by the client device using a public key allocated to the second entity by the data computer system; accessing, by the data computer system, a private key that is paired to the public key allocated to the second entity, wherein the private key is one of a plurality of private keys stored in an electronic storage system accessible by the data computer system; decrypting, by the data computer system, the encrypted data using the private key; obtaining decrypted data corresponding to the electronic transaction based on the decrypting; and providing, by the data computer system, a processing result corresponding to the electronic transaction, wherein the processing result is based on at least a portion of the decrypted data.

“9. The method of claim 8, wherein the electronic transaction is a credit card transaction, and wherein the providing the processing result comprises transmitting the processing result to an entity system configured to provide an approval or a denial for the credit card transaction.

“10. The method of claim 9, further comprising: receiving, from the entity system, a transaction result indicating whether the credit card transaction is approved or denied; and transmitting the transaction result to the client device.

“11. The method of claim 8, wherein the processing result indicates an identity of at least one of the user or the second entity.

“12. The method of claim 8, further comprising storing a data package including the processing result in the electronic storage system.

“13. The method of claim 8, wherein the decrypted information includes one or more of a name or a geographic location corresponding to the user.

“14. The method of claim 8, wherein the encrypted data is received via an application program interface (API) that has at least one parameter for specifying one or more encryption keys in an API call.

“15. A non-transitory computer readable medium having instructions stored thereon that are executable by a data computer system to cause the data computer system to perform operations comprising: receiving encrypted data corresponding to an electronic transaction between a user of a client device and a second entity that is not a controlling entity of the data computer system, wherein the electronic transaction was initiated by the client device, and wherein the encrypted data was encrypted by the client device using a public key allocated to the second entity by the data computer system; accessing a private key that is paired to the public key allocated to the second entity, wherein the private key is one of a plurality of private keys stored in an electronic storage system accessible by the data computer system; decrypting the encrypted data using the private key to obtain decrypted data corresponding to the electronic transaction; and providing a processing result for the electronic transaction, wherein the processing result is based on at least a portion of the decrypted data.

“16. The non-transitory computer readable medium of claim 15, wherein the operations further comprise storing a data package including the processing result in the electronic storage system.

“17. The non-transitory computer readable medium of claim 15, wherein the providing the processing result includes transmitting the processing result, via a network interface device, to an entity computer system that is separate from the data computer system.

“18. The non-transitory computer readable medium of claim 15, wherein the operations further comprise: receiving a notification regarding a success or a failure of the electronic transaction from an entity computer system based on the processing result; and transmitting the notification to the client device.

“19. The non-transitory computer readable medium of claim 15, wherein the encrypted data is received via an application program interface (API) that has at least one parameter for specifying one or more encryption keys in an API call.

“20. The non-transitory computer readable medium of claim 15, wherein the processing result indicates an identity of at least one of the user or the second entity.”

For more information, see this patent: Manges, Daniel. Differential client-side encryption of information originating from a client. U.S. Patent Number 11477180, filed March 3, 2020, and published online on October 18, 2022. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11477180.PN.&OS=PN/11477180RS=PN/11477180

(Our reports deliver fact-based news of research and discoveries from around the world.)