Examples of Re-Keying and Key Rotation

For example, here is a token vault before a re-key operation:

The mac and ciphertext values have been truncated to fit the page.

The KEYROTATIONDATE column indicates that the table was last re-keyed on 13-NOV-11. The rows with no value in the KEYROTATIONDATE column were added after the last re-key.

Here is sfnt_key_table:

TABLENAME       ENCKEY      HMAC        KEYKEYROTATIONDATE
-----------------------------------------------------------------------------

SOME_VAULT      encKey      macKey

Notice that there is no value for KEYROTATIONDATE in sfnt_key_table. The value is removed when the re-key process ends.

Rotate the encryption key (here, it’s encKey) from the Key Manager.

Run the re-key operation from the command line:

java -cp C:\Tokenization\lib\ext\SafeNetTokenService-8.13.2.000.jar
com.safenet.token.ReKey SOME_VAULT YourKeyManagerUser YourDatabaseUser

The system prompts you for the NAE and database user passwords. These passwords will be masked.

Enter NAE password: Enter database password:
ReKey Operation Parameters: Table Name= SOME_VAULT
NAE User Name= YourKeyManagerUser Database User Name = YourDatabaseUser
Run the ReKey operation? [Yes|No] Yes STARTING KEY ROTATION
TOKEN VAULT INFO HAS BEEN SET FOR TOKEN VAULT SOME_VAULT 5000 TOTAL ROW(S).
5000 ROW(S) WILL BE RE-KEYED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
REKEY SOME_VAULT STARTED: 2011-11-15 12:13:47.925
5000 TOTAL ROWS(S) COMMITTED.
REKEY SOME_VAULT ENDED: 2011-11-15 12:13:48.16
TOKEN VAULT INFO HAS BEEN SET FOR TOKEN VAULT SOME_VAULT KEY ROTATION COMPLETION HAS BEEN RECORDED

After the key rotation and re-key operations, the entries in the sfnt_key_table remain the same. This is because only the encryption key version has changed - it’s name remains the same.

If the process is interrupted before if completes, it will resume correctly when restarted. You can test this by pressing control-c to interrupt the process.

STARTING KEY ROTATION
TOKEN VAULT INFO HAS BEEN SET FOR TOKEN VAULT SOME_VAULT 36628 TOTAL ROW(S).
26628 ROW(S) WILL BE RE-KEYED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.
1000 ROW(S) PROCESSED.

Press Control-C to interrupt the process.

If you look at the sfnt_key_table at this point, you’ll see a value in the KEYROTATIONDATE column.

TABLENAME       ENCKEY      HMACKEY         KEYROTATIONDATE
-------------------------------------------------------------------------------------
SOME_VAULT      encKey      macKey          16-NOV-11

If you look at the token vault at this point, you’ll see a value in the KEYROTATIONDATE column for those rows that have been re-keyed.

When the re-key process resumes, a row is re-keyed if one of the following is true:

• There is no value in the KEYROTATIONDATE column. This means that the row was added after the last rekey.

• The row’s KEYROTATIONDATE value is earlier than the KEYROTATIONDATE value set for the token vault in the sfnt_key_table. This means that the last re-key was interrupted and the column was not re-keyed.

To resume the process, simply execute the re-key operations as normal:

java -cp C:\Tokenization\lib\ext\SafeNetTokenService-8.13.2.000.jar com.safenet.token.ReKey SOME_VAULT YourKeyManagerUser YourDatabaseUser

When the process completes, note that the CIPHERTEXT and KEYROTATIONDATE fields change, but the token value remains the same.