tokenizer for Card data and PCI

[San]

Hi,

I am working on a tonenizer project for card data and encrypted storage of the card data. 

I go through the vault documentation but still haven't understand it fully. Could you guys let me know it can work as toknizer for card data storage as per PCI requirement? and refer me some document on this for more understanding?

Regards,

san

[Jeff Mitchell]

Hi San,

You didn't really go into detail on your requirements, but generally
speaking Vault doesn't do tokenization, only encryption. That said,
there are ways that you can apply various pieces of functionality in
Vault to achieve a similar effect. You may want to look at the transit
backend (https://www.vaultproject.io/docs/secrets/transit/index.html)
which allows for encryption-as-a-service without divulging the
underlying encryption keys.

In 0.6.1 this will gain functionality to perform convergent
encryption, where the same inputs produce the same ciphertext. This
can be used to perform a type of tokenization, where the same inputs
can produce the same output, but the actual output value is encrypted.
Since this uses a key derivation function based on context you provide
(such as a token identifier), it's also cryptographically strong since
you could have any given token using a different key.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/a3bae29c-15c8-4580-a80d-e9d973478487%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[San]

Thanks Jeff for the detail response.

Basically i am trying to store the card data like PAN number as encrypted data and issue a token against the PAN using AES. Keys must be stored in pkcs11 supported HSM. i have recently started reading the PCI documentation on this.   

On Wednesday, July 20, 2016 at 10:51:53 PM UTC+5, Jeff Mitchell wrote:

Hi San,

 

You didn't really go into detail on your requirements, but generally
speaking Vault doesn't do tokenization, only encryption. That said,
there are ways that you can apply various pieces of functionality in
Vault to achieve a similar effect. You may want to look at the transit
backend (https://www.vaultproject.io/docs/secrets/transit/index.html)
which allows for encryption-as-a-service without divulging the
underlying encryption keys.

I take a look to the transit it seems like encryption as service and support multiple key generation. i am looking something similar but with HSM and toknizer support.

 

In 0.6.1 this will gain functionality to perform convergent
encryption, where the same inputs produce the same ciphertext. This
can be used to perform a type of tokenization, where the same inputs
can produce the same output, but the actual output value is encrypted.
Since this uses a key derivation function based on context you provide
(such as a token identifier), it's also cryptographically strong since
you could have any given token using a different key.

is there any detail document on this? 

Best,
Jeff

Regards,

San

[Jeff Mitchell]

Hi San,

There is optional HSM support in Vault Enterprise. It doesn't store all keys stored within Vault in an HSM; rather, it supports wrapping Vault's master key with an HSM-stored key. This allows conformance with specifications that require an HSM to protect the master key...often this is the actual requirement.

Best,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/922afb4e-1c46-4f74-a7a6-44a9c823f4a6%40googlegroups.com.

[San]

Thanks Jeff,

I already request the information regarding the Vault Enterprise. 

I am trying to test the vault and transit. how can i store all the data to postgres database? secret backend and data storage are the same thing or different. i create the following configuration file and getting the error when starting the vault server.

backend "postgresql" {

  connection_url = postgresql://postgres:post...@127.0.0.1:5432/postgres

}

##########Error################

./vault server -config vault.config 

Error loading configuration from vault.config: At 3:20: Unknown token: 3:20 IDENT postgresql

Regards,

San

[Jeff Mitchell]

Hi San,

I think you need to put the actual URL value in quotes:

connection_url = "postgresql://postgres:post...@127.0.0.1:5432/postgres"

Best,
Jeff

> https://groups.google.com/d/msgid/vault-tool/e8e5cb96-01b1-4333-a085-e65a3e94e1d9%40googlegroups.com.

[San]

Thanks Jeff, its connected after putting it in quotes.

Regards,

Sanaullah

[San]

Hi Jeff

>In 0.6.1 this will gain functionality to perform convergent 
>encryption, where the same inputs produce the same ciphertext. This 
>can be used to perform a type of tokenization, where the same inputs 
>can produce the same output, but the actual output value is encrypted. 
>Since this uses a key derivation function based on context you provide 
>(such as a token identifier), it's also cryptographically strong since 
>you could have any given token using a different key. 

can you provide some link on this? or any documentation i can read with details on convergent encryption ?

Regards,

San

[Bruno Mattarollo]

Hi San,

https://github.com/hashicorp/vault/pull/1543 if what you are after I think.

Hope this helps,

/B

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e33e6734-3d14-4452-8f08-1c5d086ac989%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Bruno Mattarollo | @bmatt | Skype: brunomattarollo

[San]

Thanks Bruno,

Basically i am trying to achieve a requirement for Tokenizer and Card Data storage. against every card data, Tokenzier will generate a token and card data is going to store as encrypted using AES256. There should be at-least 1000 keys in the DB and data is going to encrypt with a randomly picked key from the DB. encrypted payment data will going to store in the payment information table along with the index of the encryption key used.

do you think Convergent encryption can help with this? I am also new in this domain.

Regards,

San

[Bruno Mattarollo]

Hey San,

My personal preference would be to avoid using convergent encryption to generate the encrypted PANs. In particular if you store the masked PAN together with your ciphertext.

I would only use convergent encryption if you have a requirement to always generate the same cyphertext from a given plaintext ... eg: you want to check for duplication but you don't want to have access to the plaintext, you detect duplication with the ciphertext (of course, you could also use a SHA512 or similar to do the same).

As for tokenisation, I'd probably use a random generator that is not related at all to the plaintext or ciphertext, uuid-v4 probably (that'd be my personal approach). You could use vault to generate that token for you since you'd be already using vault to encrypt the PANs.

note: I don't work on vault or for hashicorp so my knowledge of the internals of vault or best practices usage is limited. Please take this with a grain of salt :)

Cheers

/B

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8c0a445b-592f-48d2-97cd-e2753d499527%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[San]

Thanks Bruno,

Your personal preference also works for me. I also read the convergent encryption documentation so its not useful in the case of PAN encryption, As per the PCI we have random token against every card data. so it seems to be only a random number generator can work for this.

Thanks for your input :)

Regards,

San

[Jeff Mitchell]

Hi San,

I wouldn't suggest using convergent encryption for card data storage.
My suggestion was for tokenization, but only based on a guess of your
needs, since "tokenization" can be a bit of an overloaded term.

In many cases, when people want to tokenize data, what they really
want is a way of correlating like items of data without divulging what
that is. For instance, if you want to store credit card transaction
information, you may want to be able to correlate a particular vendor
across all transactions; or, you may want to store the dollar amount
of each transaction as a rounded-up number to the nearest large
denomination, so you can easily find transactions less than or more
than a certain amount. This wouldn't be personally identifying card
user information, so complete randomization isn't necessary, but you
still don't want to divulge the details to unauthorized parties. So
you split the various parts of the input data into tokens and run
operations such that vendor A will always correspond to ciphertext A'
and vendor B will always correspond to ciphertext B', and $100 will
always correspond to C' and $200 will always correspond to D'.

If you have that kind of scenario, convergent encryption may work well for you.

Best,
Jeff

> https://groups.google.com/d/msgid/vault-tool/8bcd6906-242c-4e2d-9ecd-a53f206ec272%40googlegroups.com.