Examples of Re-Keying and Key Rotation

For example, here is a token vault before a re-key operation:

The mac and ciphertext values have been truncated to fit the page.

The KEYROTATIONDATE column indicates that the table was last re-keyed on 13-NOV-11. The rows with no value in the KEYROTATIONDATE column were added after the last re-key.

Here is sfnt_key_table:

TABLENAME       ENCKEY      HMAC        KEYKEYROTATIONDATE
-----------------------------------------------------------------------------

SOME_VAULT      encKey      macKey

Notice that there is no value for KEYROTATIONDATE in sfnt_key_table. The value is removed when the re-key process ends.

Rotate the encryption key (here, it’s encKey) from the Key Manager.

Run the re-key operation from the command line:

java -cp C:\Tokenization\lib\ext\SafeNetTokenService-8.12.4.000.jar
com.safenet.token.ReKey SOME_VAULT YourKeyManagerUser YourDatabaseUser

The system prompts you for the NAE and database user passwords. These passwords will be masked.

Enter NAE password: Enter database password:
ReKey Operation Parameters: Table Name= SOME_VAULT
NAE User Name= YourKeyManagerUser Database User Name = YourDatabaseUser
Run the ReKey operation? [Yes|No] Yes STARTING KEY ROTATION
TOKEN VAULT INFO HAS BEEN SET FOR TOKEN VAULT SOME_VAULT 5000 TOTAL ROW(S).
5000 ROW(S) WILL BE RE-KEYED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
REKEY SOME_VAULT STARTED: 2011-11-15 12:13:47.925
5000 TOTAL ROWS(S) COMMITTED.
REKEY SOME_VAULT ENDED: 2011-11-15 12:13:48.16
TOKEN VAULT INFO HAS BEEN SET FOR TOKEN VAULT SOME_VAULT KEY ROTATION COMPLETION HAS BEEN RECORDED

After the key rotation and re-key operations, the entries in the sfnt_key_table remain the same. This is because only the encryption key version has changed - it’s name remains the same.

If the process is interrupted before if completes, it will resume correctly when restarted. You can test this by pressing control-c to interrupt the process.

STARTING KEY ROTATION
TOKEN VAULT INFO HAS BEEN SET FOR TOKEN VAULT SOME_VAULT 36628 TOTAL ROW(S).
26628 ROW(S) WILL BE RE-KEYED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.

Press Control-C to interrupt the process.

If you look at the sfnt_key_table at this point, you’ll see a value in the KEYROTATIONDATE column.

TABLENAME       ENCKEY      HMACKEY         KEYROTATIONDATE
-------------------------------------------------------------------------------------
SOME_VAULT      encKey      macKey          16-NOV-11

If you look at the token vault at this point, you’ll see a value in the KEYROTATIONDATE column for those rows that have been re-keyed.

When the re-key process resumes, a row is re-keyed if one of the following is true:

• There is no value in the KEYROTATIONDATE column. This means that the row was added after the last rekey.

• The row’s KEYROTATIONDATE value is earlier than the KEYROTATIONDATE value set for the token vault in the sfnt_key_table. This means that the last re-key was interrupted and the column was not re-keyed.

To resume the process, simply execute the re-key operations as normal:

java -cp C:\Tokenization\lib\ext\SafeNetTokenService-8.12.4.000.jar com.safenet.token.ReKey SOME_VAULT YourKeyManagerUser YourDatabaseUser

When the process completes, note that the CIPHERTEXT and KEYROTATIONDATE fields change, but the token value remains the same.

Tip

If you view this in your own database, a keen observer will notice that the first few digits of the ciphertext actually remain the same. This header information indicates which key version was used so that the CT-V knows how to decrypt the data.