Data Masking for Encryption and Decryption

Masking allows the CTP administrator to define one mask per user. The masking rules trigger during decryption with the UDF decrypt_fpe().

Defining Masks

Masks are defined using the configuration file /etc/vormetric/masks.conf. The format of masks.conf is similar to that of profiles.conf. It is an .ini file with sections and key-value pairs. The section name represents the Teradata username.

Each section contains the following key-value pairs representing the mask definition:

• Showfirst: A numeric value representing the number of characters at the beginning which display in the decrypted output. By default, this value is zero. For example, a showfirst value of 4 means that the output would look like 3454-XXXX-XXXX-XXXX.

• Showlast: A numeric value representing the number of characters at the end which display in the decrypted output. By default, this value is zero. For example, a showlast value of 4 means that the output would look like XXXX-XXXX-XXXX-8462.

• Maskchar: The masking character used in the decrypted output. This is mandatory for a valid mask definition.

Example

# A sample masks.conf
[DBC]
showfirst = 4
showlast = 4
maskchar = 'X'
[THALES]
showfirst = 0
showlast = 0
maskchar = '*'

Supporting Partial Encryption

You can have partial encryption on the selected field value. This is governed by the profile given as a parameter to the UDF.

The following key-value pairs allow partial encryption:

• Keepleft: A numeric value denoting the number of characters which will remain as they are at the beginning of the input string, while the rest of the string is encrypted. For example, a keepleft value of 4 for input 1234-5678-3456-7890 results in output similar to 1234-6573-7412-8831.

• Keepright: A numeric value denoting the number characters which will remain as they are at the end of the input string, while the rest of the string is encrypted. For example, a keepright value of 4 for input 1234-5678-3456-7890 might result in output similar to 6438-6573-7412-7890.

Example

[encrypt_ccnum]
method = fpe
tweak = auto
charset = digits
keyname = KEY_FPE_CC
keepleft = 4

Adding Prefix and Suffix to a Decrypted Field Value

You can add a prefix and/or suffix to the decrypted output through a new key-value pair: prefix and suffix, using the profiles.conf file. If the prefix is defined as a string "Credit Card number: ", the output results in output similar to: "Credit Card number: 1234-6352-1738-2343". The size of the prefix/suffix is limited to 10 characters.

Example

[encrypt_ccnum]
method = fpe
tweak = auto
charset = digits
keyname = KEY_FPE_CC
keepleft = 4
prefix = "Credit Card number: "

Generating an Irreversible Encryption

If you need to encrypt data that can never be decrypted:

• Use the key irreversible.

• Set it to yes to encrypt forever.

Example

[irreversible_encryption]
method = fpe
tweak = auto
charset = digits
keyname = KEY_FPE_CC
irreversible = yes

Luhn Check Compatible Encryption

A Luhn check is a checksum algorithm used to verify if a credit card number is valid. Users use FPE so that legacy applications do not break while processing the encrypted data. Running a standard FPE for a credit card number might result in a string which looks like a credit card number, but might fail the Luhn check.

CTP supports format-preserving encryption that will pass the Luhn check. For this, CTP had added a method called fpeluhn in profiles.conf. The charset for this profile is ASCII digits, and the keepright directive will not work with this encryption method.

FPE-Luhn in Teradata requires three or more characters for encryption.

[encrypt_ccnum]
method = fpeluhn \\ New method to enforce Luhn check validation for the output
tweak = auto
charset = digits
keyname = KEY_FPE_CC