Tokenization Groups, Templates, and Masks
In tokenization, sensitive data such as credit card numbers or social security numbers, are replaced with an encrypted token which retains the format of the original data. When detokenizing, different users can be authorized to view the entire detokenized/unencrypted value, or authorized to see only a part of the value, with the rest hidden by a data mask.
CT-VL includes tokenization groups, templates, and data masks as convenience features to make implementing tokenization easier.
Tokenization Groups
A tokenization group is a way to compartmentalize CT-VL at a department level or site level. Each tokenization group has a symmetric key associated with it. While the CipherTrust key management and CipherTrust encryption services refer to keys directly, the tokenize/detokenize services refer to a key indirectly – via the tokenization group.
Managing Tokenization Groups
A tokenization group is used as a parameter in the Tokenization API calls, tokenize and detokenize. To use tokenization, you must create at least one tokenization group.
Note
Have at least one symmetric key created when you create a tokenization group.
Remember that all symmetric keys used for tokenization must be unversioned keys.
Tokenization Template
Tokenization templates are used to supply parameters to the tokenization/detokenization operation which otherwise would have to be supplied individually in the REST API call, thus making the REST API call both easier to use and shorter.
The CT-VL GUI administrator collaborates with the application developer to create tokenization templates with the appropriate settings, and to give the template a name that developers will use in their code.
Managing Tokenization Templates
Tokenization templates allow you to define the specifics of how you want your data tokenized and detokenized. For example, you can specify that your data be Luhn checked before tokenizing, or that the last four digits of a data string be left unencrypted, or that an identifying prefix be attached to all tokens.
To use tokenization, at least one tokenization template must be created.
| Template Value | Description |
|---|---|
| Name | Name of the template. This name will be used in the API POST commands tokenize and detokenize. |
| Token Group | The tokenization group for which this template can be used. You must create at least one template for each tokenization group. |
| Format | Formats to be used to tokenize data: • Format-preserving encryption (FPE) with or without a Luhn check. A Luhn check ensures that a submitted number is a valid credit card number. Note: FPE is an alternate name for FF3. • Random or Random with Luhn check. This format is optimized for use with numbers from 9 digits (without a Luhn digit, for instance SSNs) to 19 digits (including a Luhn digit), like credit card numbers or tax ID numbers. If the data includes more free-form text, such as names and addresses, either the FPE or FF1 format is preferable. Note: In a random or random-Luhn format, the template uses a pseudo-random number generator (PRNG) instead of an encryption algorithm. In addition, the very first symmetric key configured in the CT-VL GUI is not a true encryption key, but instead acts as a seed value for the PRNG. • One of the supported date formats. Use this to anonymize dates. Between the month, date, and year portions of the date format, the input data must include one of the following separators: slash (/), comma (,), hyphen(-), or space ( ). Date formats are used along with the Start Year and End Year fields. Note:In a date format, if a two-digit year format is selected (for example, DDMMYY), the CT-VL assumes that the date is in the twenty-first century; that is, it assumes the first two digits of the year are 20. |
| Character Set | The character set to use with tokenization. |
| Prefix | (Optional) An optional prefix to be added to all tokens. Example: CC-1234-1234-1234-1234 or SSN:123-23-1234. Note that the format is no longer preserved with this feature. |
| Keep Left | The number left digits to leave unencrypted. You need at least a total of two digits to tokenize. Cannot be left blank. |
| Keep Right | The number right digits to leave unencrypted. You need at least a total of two digits to tokenize. Cannot be left blank. |
| Irreversible | (Optional) Check this box if you never want the token to be detokenized. For example, if you have production data that you want to tokenize for test or development,and you know you’ll never want to decrypt it |
| Allow empty or 1 character inputs | Enables null, empty, and one-character inputs, which are passed through. The token value returned is the orginal input value. The single-digit input supports both characters and numerals, and is available for all formats except RANDOM. |
Minimum Input Characters with Keepleft or Keepright
If you configure using keepleft or keepright, note the following minimum numbers of input characters, according to tokenization format:
For FPE: 2 characters plus the number of keepleft or keepright characters.
For RANDOM Numeric: 9 characters plus the number of keepleft or keepright characters.
For RANDOM Alphaumeric: 5 characters plus the number of keepleft or keepright characters.
Data Masks
When a user or user group is given detokenization privileges, a data mask must be applied that defines how much of the unencrypted data they are allowed to see.
To create a mask that shows the entire data string, the CT-VL GUI Administrator would enter very large values in the Show Left and Show Right fields (999999).
