Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Advanced Topics

Protection Policy

search

Please Note:

Protection Policy

Protection policy defines a set of rules that govern the cryptographic operations. The protection policy includes entities such as algorithm, key, IV, access policy name, and character set. Refer to Managing Protection Policy for details.

Protection policy specifications

Internal versioning protection policy

It is a type of protection policy where the version header is prepended with the ciphertext. For example, 1001000B1E06A7C20585E0F5A13233953B4971D. The protected text reserves 7 digits for version header. The permissible version header range is 1001000 - 1999999.

  • The first digit is reserved for type

  • The next 3 digits are reserved for protection policy version

  • The last 3 digits are reserved for key version.

Important Notes

  • The length of the ciphertext will increase after prepending the 7-digit version header to it. So, the length of the column receiving the ciphertext will increase by 7.

  • In case of protect operation for Fixed Length File, the white spaces at the end of the plaintext will be removed to ensure the version header is prepended to the ciphertext.

External versioning protection policy

It is a type of protection policy where the version header is not part of the ciphertext and it is stored in a different column. Specify the column name (where you want to insert the version header value) in the Version header column. Refer to Managing Job Configuration for details.

Important Notes

Protect operation

  • For transformations where destination is database, the version header column should exist in the destination table. Else, the following error will be thrown:

    Version header column <version header name> not present in destination table.

    Note

    If Create Destination check-box is selected, BDT will create the column with the name specified in the version header column parameter (if it is not already in source) with datatype as VARCHAR (7). For Oracle, the datatype will be VARCHAR2 (7).

  • If the destination table already contains the column with the same name as the version header column value, BDT will use that column to add the version header value.

  • For transformations where destination is file, if the version header column is already present in the source, the column data will be overwritten with version header value. If version header column doesn't exist, BDT will create column in the output file.

  • For Fixed length file transformation, following points will be taken into consideration:

    • If the version header column value length is greater than 7, BDT will add spaces in the version header value.

    • If the version header column value length is less than 7, BDT will add spaces in the version header column name.

    • If the version header column already present in destination, the column length of the original column will be used.

Reveal Operation

If the version header column is not null or does not exist in the source table or input file, BDT throws the following error:

    Version header column is not present in source.
Disable versioning protection policy

It is a type of policy where information about version header is not returned with the ciphertext. In this scenario, only Version 0 of a key can be used to protect data.

Luhn check

A luhn check is a method to validate identification of numbers. Protection policy is configured to protect or reveal luhn complaint data. This check is only compatible with All digits character set (0-9) and FPE algorithms. The luhn check requires minimum 3 characters to perform crypto operations. For configuring luhn data format, refer to Creating Protection Policy.

Prefix

It is a user friendly name that helps user identify the type of data being protected. This value is specified while creating a protection policy. For configuring prefix, refer to Creating Protection Policy.

Note

In case of protect operation for Fixed Length File, the white spaces at the end of the plaintext will be removed to ensure the prefix is prepended to the ciphertext.

Static masking format

Allows you to preserve starting and ending characters of the input data. The remaining characters will be protected based on the selected algorithm. It is only applicable for FPE algorithms. Refer to Masking Format for details.

Allow Small Input Value

Support available in CipherTrust Manager future releases

Support to handle small character input will be available in CipherTrust Manager 2.22 and higher versions.

Format-preserving algorithms require a character set during cryptographic operations. When the effective input length does not meet the minimum length criteria supported by the underlying algorithm, an error is thrown. To handle this scenario, use the Allow Small Input parameter. This parameter allows BDT to process small input.

Conversely, if the Allow Small Input parameter is disabled and user attempts to protect a small input value, BDT doesn't process it and returns the Input buffer is too short (len=1), it has to be at least 2 bytes long error.

This parameter is only supported with FPE and Random2 algorithms.

Random nonce

Support for Random Nonce in AES algorithms will be available in CipherTrust Manager 2.22 and higher versions.

A random nonce is a randomly generated nonce (IV) that can be used only once in cryptographic operations. It can be internal, external, or disabled.

Internal random nonce: The nonce generated during protect is returned with the ciphertext. The structure of ciphertext is as follows: versionheader + prefix + nonce + ciphertext. Internal random nonce works with internal and disabled protection policies.

External random nonce: The nonce generated during protect is not part of the ciphertext and it is stored in a different column. Specify the column name (where you want to insert the random nonce value) when creating job configuration. External random nonce works with external and disabled protection policies.

Disable random nonce: In this case, nonce is not returned with the ciphertext. Disable nonce can be used with internal, external, or disabled protection policy.

Important Notes

Protect Operation

  • For transformations where destination is database, the random nonce column should exist in the destination table. Else, the following error will be thrown:

    Random nonce column <random nonce column name> not present in destination table.

    Note

    If Create Destination check-box is selected, BDT will create the column with the name specified in the random nonce column parameter (if it is not already in source) with datatype as VARCHAR (32). For Oracle, the datatype will be VARCHAR2 (32).

  • If the destination table already contains the column with the same name as the random nonce column value, BDT will use that column to add the random nonce value.

  • For transformations where destination is file, if the random nonce column is already present in the source, the column data will be overwritten with random nonce value. If random nonce column doesn't exist, BDT will create column in the output file.

  • For Fixed length file transformation, following points will be taken into consideration:

    • If the random nonce column value length is greater than 32, BDT will add spaces in the random nonce value.

    • If the random nonce column value length is less than 32, BDT will add spaces in the random nonce column name.

    • If the random nonce column already present in destination, the column length of the original column will be used.

Reveal Operation

If the random nonce column is not null or does not exist in the source table or input file, BDT throws the following error:

    Random nonce column is not present in source.

On this page