Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Application Data Protection Administration

Managing Protection Policy

search

Please Note:

printsuggest an editpdf paneldownload

Managing Protection Policy

Protection policy defines a set of rules that govern the cryptographic operations to be performed in the application data protection. A protection policy includes entities such as algorithm, key, character set, access policy and so on.

copy link to clipboardProtection policy specifications

copy link to clipboardSupported key types

Symmetric AES keys are supported.

The keys must be marked exportable on CipherTrust Manager. The key to be used in the protection policy must be added to a group with Read, Encrypt, Decrypt, and Export permissions. One such example of group is Application Data Protection Clients.

Note

While adding an application on CipherTrust Manager, in the Client Groups field, select the group with which the key to be used in the protection policy was associated (for example, Application Data Protection Clients).

copy link to clipboardSupported algorithms and their specifications

copy link to clipboardFPE/AES

IVThe IV length is dependent on the cardinality of the character set. To know the required IV length, click here.
CardinalityUnicode.
Key Size128, 192, and 256.
Tweak AlgorithmHashing algorithm to be applied to the specified tweak data beforehand. Possible options are:
— SHA1
— SHA256
— NONE
— NULL
TweakIt uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space.
Possible combinations of tweak algorithm and tweak data :
— SHA1: tweak data should be ≤ 256 characters.
— SHA256: tweak data should be ≤ 256 characters.
— None: tweak data must be 16 characters HEX encoded string.
— NULL: Tweak data is not applicable.

copy link to clipboardFPE/FF1v2

CardinalityUnicode.
Key Size128, 192, and 256.
Tweak AlgorithmHashing algorithm to be applied to specified tweak data beforehand. Possible options are:
— SHA1
— SHA256
— NONE
— NULL
TweakIt uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space.
Possible combinations of tweak algorithm and tweak data :
— SHA1: tweak data should be ≤ 256 characters.
— SHA256: tweak data should be ≤ 256 characters.
— None: tweak data must be 16 characters HEX encoded string.
— NULL: Tweak data is not applicable.

copy link to clipboardFPE/FF3

CardinalityUnicode.
Key Size128, 192, and 256.
Tweak AlgorithmHashing algorithm to be applied to specified tweak data beforehand. Possible options are:
— SHA1
— SHA256
— NONE
TweakIt uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space.
Possible combinations of tweak algorithm and tweak data :
— SHA1: tweak data should be ≤ 256 characters.
— SHA256: tweak data should be ≤ 256 characters.
— None: tweak data must be 16 characters HEX encoded string.

copy link to clipboardFPE/FF3-1

Note

For FF3-1, the maximum supported data length to be protected is dependent on the cardinality of the character set. The input data length must be <= the block-size.

CardinalityUnicode.
Key Size128, 192, and 256.
Tweak AlgorithmHashing algorithm to be applied to specified tweak data beforehand. Possible options are:
— SHA1
— SHA256
— NONE
TweakIt uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space.
Possible combinations of tweak algorithm and tweak data :
— SHA1: tweak data should be ≤ 256 characters.
— SHA256: tweak data should be ≤ 256 characters.
— None: tweak data must be 14 characters HEX encoded string.

copy link to clipboardAES

ModesSupported modes are: — CBC
— ECB
Padding Schemes— PKCS5Padding
— NoPadding
note

Note

When using AES with NoPadding in CBC or ECB mode, then you must supply the cipher text in multiples of 16 bytes.

IVIf mode is CBC, a IV of 16-byte (any UTF-8 character input) is required. For ECB mode, IV is not supported.
Key Size128, 192, and 256.
Identifier Strings— AES/CBC/NoPadding
— AES/CBC/PKCS5Padding
— AES/ECB/NoPadding
— AES/ECB/PKCS5Padding

copy link to clipboardSupported character set

For FPE, the Application Data Protection supports configurable character sets.

Note

FPE requires minimum two characters from the character set to perform crypto operations.

copy link to clipboardProtection policy versioning

Application protection policies are versioned. Whenever a protection policy is modified, the version increases by one. The versioning helps track changes and updates made to a protection policy.

Refer to Protection Policy Versioning Details for more information on protection policy versioning.

copy link to clipboardWhat's Next

In this article you will learn how to:

copy link to clipboardReferences

On this page