Managing Protection Policy
Protection policy defines a set of rules that govern the cryptographic operations. The protection policy includes entities such as algorithm, key, character set, access policy and so on.
Protection policy specifications
Supported key types
Symmetric AES keys are supported.
The keys must be marked exportable on the CipherTrust Manager.
Note
The key used in the protection policy must be added to the Application Data Protection Clients Group with Read, Encrypt, Decrypt, and Export permissions.
Supported protection methods and their specifications
FPE/AES
| IV | IV is derived form the character length. To know how to calculate the required IV, click here |
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE — NULL |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. — NULL: Tweak data is not applicable. |
FPE/FF1v2
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE — NULL |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. — NULL: Tweak data is not applicable. |
FPE/FF3
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. |
FPE/FF3-1
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 14 characters HEX encoded string. |
AES
| Modes | Supported modes are: — CBC — ECB |
| Padding Schemes | — PKCS5Padding — NoPadding |
| IV | If mode is CBC, a IV of 16-byte is required. For ECB mode, IV is not required. |
| Key Size | 128, 192, and 256. |
| Identifier Strings | — AES/CBC/NoPadding — AES/CBC/PKCS5Padding — AES/ECB/NoPadding — AES/ECB/PKCS5Padding |
Supported character set
For FPE, the Application Data Protection supports configurable character sets.
Note
FPE requires minimumtwo characters from the character set to perform crypto operations.
Protection Policy versioning
When a protection policy is created, by default, Version1 is assigned to it. If the existing protection policy is modified, a new version of the protection policy is created with modified fields.
A prepended tagged ciphertext (Version header + Ciphertext) will be created when data is protected with versioned policies. This header version is used by connectors to retrieve the respective version of a particular protection policy. The advantage of the versioned policies is - online modification of protection policy can happen seamlessly by creating a new version of the protection policy.
The Application Data Protection supports following types of versioning:
Internal Version Header- also referred to as internal versioning. The version bytes are prepended to the ciphertext. This is the default versioning. For example, <version header bytes> <ciphertext>
External Version Header- also referred to as external versioning. The version details are stored in a separate parameter. For example:
<ciphertext>
<parameter name storing the version header bytes>
This field will vary according to the chosen connector type.
For DPG, this field is configured while creating DPG policy.
- Disable Versioning- if selected, the protection policy can't be modified. In such cases, only
Version 0of a key will be used to protect/reveal data. Use this option if you only want ciphertext and no information about the version bytes.
Note
If a set of data is already encrypted with a protection policy, ensure to decrypt the data with the same protection policy.
The versioning type selected during the protection policy creation can't be modified.
In this article you will learn how to:
