Managing Protection Policy
Protection policy defines a set of rules that govern the cryptographic operations. The protection policy includes entities such as algorithm, key, character set, access policy and so on.
Protection policy specifications
Supported key types
Symmetric AES keys are supported.
The keys must be marked exportable on the CipherTrust Manager.
Note
The key used in the protection policy must be added to the Application Data Protection Clients Group with Read, Encrypt, Decrypt, and Export permissions.
While adding application on the CipherTrust Manager, the Client Groups field should be selected to use the key (having access for the group) with the protection policy.
Supported protection methods and their specifications
FPE/AES
| IV | IV is derived form the character length. To know how to calculate the required IV, click here. |
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE — NULL |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. — NULL: Tweak data is not applicable. |
FPE/FF1v2
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE — NULL |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. — NULL: Tweak data is not applicable. |
FPE/FF3
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. |
FPE/FF3-1
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 14 characters HEX encoded string. |
AES
| Modes | Supported modes are: — CBC — ECB |
| Padding Schemes | — PKCS5Padding — NoPadding |
| IV | If mode is CBC, a IV of 16-byte is required. For ECB mode, IV is not required. |
| Key Size | 128, 192, and 256. |
| Identifier Strings | — AES/CBC/NoPadding — AES/CBC/PKCS5Padding — AES/ECB/NoPadding — AES/ECB/PKCS5Padding |
Supported character set
For FPE, the Application Data Protection supports configurable character sets.
Note
FPE requires minimumtwo characters from the character set to perform crypto operations.
Protection Policy versioning
Protection policy versioning is the process of assigning a version number to each iteration of a protection policy. This process helps track changes and updates made to a protection policy.
Refer to Protection Policy Versioning Details for more information on protection policy versioning.
In this article you will learn how to:
