Managing Protection Policy
Protection policy defines a set of rules that govern the cryptographic operations to be performed in the application data protection. A protection policy includes entities such as algorithm, key, character set, access policy and so on.
Protection policy specifications
Supported key types
Symmetric AES keys are supported.
The keys must be marked exportable on the CipherTrust Manager. The key to be used in the protection policy must be added to a group with Read, Encrypt, Decrypt, and Export permissions. For example, this group can be Application Data Protection Clients.
Note
While adding an application on the CipherTrust Manager, in the Client Groups field, select the group with which the key to be used in the protection policy was associated (for example, Application Data Protection Clients).
Supported algorithms and their specifications
FPE/AES
| IV | IV is derived form the character length. To know how to calculate the required IV, click here. |
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE — NULL |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. — NULL: Tweak data is not applicable. |
FPE/FF1v2
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE — NULL |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. — NULL: Tweak data is not applicable. |
FPE/FF3
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 16 characters HEX encoded string. |
FPE/FF3-1
| Cardinality | Unicode. |
| Key Size | 128, 192, and 256. |
| Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE |
| Tweak | It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. Possible combinations of tweak algorithm and tweak data : — SHA1: tweak data should be ≤ 256 characters. — SHA256: tweak data should be ≤ 256 characters. — None: tweak data must be 14 characters HEX encoded string. |
AES
| Modes | Supported modes are: — CBC — ECB |
| Padding Schemes | — PKCS5Padding — NoPadding |
| IV | If mode is CBC, a IV of 16-byte is required. For ECB mode, IV is not required. |
| Key Size | 128, 192, and 256. |
| Identifier Strings | — AES/CBC/NoPadding — AES/CBC/PKCS5Padding — AES/ECB/NoPadding — AES/ECB/PKCS5Padding |
Supported character set
For FPE, the Application Data Protection supports configurable character sets.
Note
FPE requires minimum two characters from the character set to perform crypto operations.
Protection policy versioning
Application protection policies are versioned. Whenever a protection policy is modified, the version increases by one. The versioning helps track changes and updates made to a protection policy.
Refer to Protection Policy Versioning Details for more information on protection policy versioning.
In this article you will learn how to:
