Protection Policy Functionalities
This article explains the functionalities of protection policy. These functionalities are configured when creating protection policy on CipherTrust Manager. Refer to Managing Protection Policy for details.
Internal versioning protection policy
It is a type of protection policy where the version header is prepended with the ciphertext. The protected text reserves 7 digits for version header.
The first digit is reserved for type
The next 3 digits are reserved for protection policy version
The last 3 digits are reserved for key version.
For example, 100100031323132313231232123.
| 1 | type |
| 001 | protection policy version |
| 000 | key version |
| 31323132313231232123 | ciphertext |
The permissible version header range is - 1001000 - 1999999.
External versioning protection policy
It is a type of protection policy where the version header is not part of the ciphertext. In external version protection policy, the version header details are stored in a different column/field based on the chosen connector type and its configurations.
Disable versioning protection policy
A disabled version protection policy is the policy without the version header. If Disable Versioning is selected, the protection policy cannot be modified. In such cases, only Version 0 of a key will be used to protect/reveal data.
Luhn check
A luhn check is a formula to validate identification of numbers. Protection policy is configured to protect or reveal luhn complaint data. This check is only compatible with All digits character set (0-9) and FPE algorithms. The luhn check requires minimum 3 characters to perform crypto operations.
Prefix
It is a user friendly name that helps user identify the type of data being protected.
Static masking format
Allows you to preserve starting and ending characters of the input data. The remaining characters will be protected based on the selected algorithm. It is only applicable for FPE algorithms.
Random nonce
Support for Random Nonce in AES algorithms will be available in CipherTrust Manager 2.22 and higher versions.
A random nonce is a randomly generated nonce (IV) that can be used only once in cryptographic operations. It can be internal, external, or disabled.
Internal: The nonce generated during protect is returned with the ciphertext. The structure of ciphertext is as follows:
versionheader + prefix + nonce + ciphertext. Internal random nonce works with internal and disabled protection policies.External: The nonce generated during protect is returned in a separate field depending on the chosen connector type. External nonce works with external and disabled protection policies.
Disable: In this case, nonce is not returned with the ciphertext. Disable nonce can be used with internal, external, or disabled protection policy.
Structure of Ciphertext
Based on the protection policy functionalities, the structure of ciphertext will be:
version header + prefix + nonce + ciphertext + AuthTag
