User's Guide: Tokenization – Fortanix

FORTANIX SELF-DEFENDING KMS TOKENIZATION USER GUIDE.pdf
1 MB Download

The Fortanix Self-Defending Key Management Service (KMS) tokenization feature eliminates the link to sensitive data and is used in credit card processing to reduce or eliminate breaches. This is a highly secure method of protecting payment credentials which include substituting sensitive data such as credit card/ account numbers with a one-time number known as a token that has no relationship to a person or their account. The 16-digit account number is replaced with a randomly generated alphanumeric ID.

Fortanix Self-Defending KMS Tokenizer Security Object Data Types

Tokenizer Data Types

A security object token can be of the following data types:

Credit card
SSN
IMSI (International Mobile Subscriber Identity)
Custom token

Depending on the type of data the users want to protect, they can create security objects belonging to any of the three tokenizer data types. Tokenization replaces a customer’s credit card number, SSN, IMSI, or a custom token with a randomly generated code or token eliminating them from commerce systems, only storing a “token” that represents them.

Credit Card Tokenization

A typical credit card number comes with a 16-digit personal account number (PAN) which can be tokenized. When a merchant swipes a customer’s credit card, the PAN is automatically replaced with a format-preserving alphanumeric ID (“token”).

In Fortanix Self-Defending KMS, a user can choose to tokenize certain digits of a credit card number using a pattern. There are 4 types of tokenization pattern that can be applied:

Fully tokenize the credit card number – full token. For example:

In this method, a user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the credit card number – token + 4 digits. For ex:
In this method, a user can choose to mask the complete token except the last four since these digits of the credit card number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the 1^st six digits of the credit card number – 6 digits + token. For ex:
In this method, a user can choose to mask the complete token except for the 1^st six digits since these digits of the credit card number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the 1^st six digits and last four digits of the credit card number – 6 digits + token + 4 digits. For ex:
In this method, a user can choose to mask the complete token except for the 1st six digits and the last four digits since these digits of the credit card number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.

SSN Tokenization

This method of tokenization converts sensitive data, such as a social security number, into a random string of characters (called a token) that have no meaningful value if breached. A typical Social Security number consists of 9 digits. A token representing an SSN may need to retain the real last 4 digits. This enables representatives to verify user identities without access to the rest of the SSN.

In Fortanix Self-Defending KMS, a user can choose to tokenize an SSN using the below two patterns.

Fully tokenize the SSN – full token. For ex:
In this method, a user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the SSN – token + 4 digits. For ex:
In this method, a user can choose to mask the complete token except the last four digits since these digits of the SSN are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.

IMSI Tokenization

The IMSI is a 15 digit number that uniquely identifies every user of a cellular network. It is stored as a 64-bit field and is sent by the mobile device to the network.

The phone identifies the subscriber by transmitting the IMSI number. To prevent eavesdroppers from identifying and tracking the subscriber on the radio interface using the IMSI number, we can tokenize the IMSI number so that it is automatically replaced with a format-preserving alphanumeric ID (“token”).

In Fortanix Self-Defending KMS, a user can choose to tokenize certain digits of an IMSI number using a pattern. There are 4 types of tokenization pattern that can be applied:

Fully tokenize the IMSI number – full token. For example:

In this method, a user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the IMSI number – token + 4 digits. For ex:
In this method, a user can choose to mask the complete token except the last four since these digits of the IMSI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the 1^st six digits of the IMSI number – 6 digits + token. For ex:
In this method, a user can choose to mask the complete token except for the 1^st six digits since these digits of the IMSI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the 1^st six digits and last four digits of the IMSI number – 6 digits + token + 4 digits. For ex:
In this method, a user can choose to mask the complete token except for the 1st six digits and the last four digits since these digits of the IMSI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.

Custom Tokens

A user can use this method of tokenization to protect any kind of data other than a credit card or SSN. This data type must have a minimum size of 13 which can either be numbers, hexadecimals or alphanumeric values. In this method, a user can choose to tokenize any combination of the 1^st six and the last six digits in the data. For ex:

1 symbol + token + 1 symbol
6 symbols + token + 6 symbols
3 symbols + token + 2 symbols
A user can choose to mask the corresponding tokenized values with asterisks (*), further securing the token’s identity. Masking can be applied to any combination of digits that are tokenized using the Add masking pattern option in the UI. For example, the following can be the masking patterns for the custom token above.

A custom token type can be:
1. Numbers only: If your data is of type ‘number’, then use this option to create a custom token containing only numbers.
2. Hexadecimal only: If your data is of type ‘hexadecimal’, then use this option to create a custom token containing hexadecimal values.
3. Alphanumeric only: If your data is of type ‘alphanumeric’, then use this option to create a custom token containing alphanumeric values.

Create a Tokenizer Security Object

To create a tokenizer security object, follow the steps below:

Log in to your Fortanix Self-Defending KMS account using the URL: https://sdkms.fortanix.com.
On the Fortanix Self-Defending KMS UI left panel, click the Security Objects tab, and then click the CREATE SECURITY OBJECT button in the Security Objects page.

Figure 1: Create a Tokenizer Security Object
In the Add New Security Object page, enter a name for your new security object, and then select the GENERATE option, to generate a security object.

Figure 2: Generate Tokenizer Object
Select the type of security object as Tokenization.

Figure 3: Select Security Object Type
In the Data type list, select the tokenization type for the tokenizer security object. There are three data types to select from, namely:
Figure 4: Tokenizer Data Type

Refer to the previous section for more details about these data types.
If you want to mask your token, then select Add masking pattern.

Figure 5: Add Masking Pattern
Move the slider below the token to choose a masking pattern.

Figure 6: Apply Masking Pattern
Enter a key size for the security object. The allowed values are 128 bits, 192 bits, and 256 bits.

Figure 7: Select Key Size
Select the permitted key operations on this security object.

Figure 8: Select Key Operations
Assign the security object to a group.

Figure 9: Assign Security Object to Group
Lastly, click GENERATE to generate a tokenizer security object.

Figure 10: Generate Security Object
The new tokenizer security object is created.

Figure 11: Tokenizer Security Object Created

Tokenization Operations Using API

Once the tokenization object is created, it can be used to tokenize and de-tokenize data. For the examples shown in this section the following tokenization object will be used:

Generating a Token

To generate a token from the data given in Figure 12, the following API request should be used:

POST https://{{server}}/crypto/v1/keys/{{token_key_uuid}}/encrypt

Request body:

{
 "alg": "AES",
 "mode": "Ff1",
 "plain": "MDEyMzQ1Njc4OTEyMzQ1Ng=="
}

the "plain" field is the base64 encoding of the data to tokenize. For this example, the base64 encoding of “0123456789123456” was used.

The request-response is:

{
 "kid": "034a9879-8206-4898-bb6e-05e4cb69782d",
 "cipher": "MDEyMzQ1OTEyMDY1MTY4Mg=="
}

The base64 decoding of the returned "cipher" is “0123459120651682”. The first 6 digits of the text (credit card number) are identical to the original plain text and the rest of the digits are tokenized.

Obtaining Original Data

To obtain the original data from a given token the following API request should be used:

POST https://{{server}}/crypto/v1/keys/{{token_key_uuid}}/decrypt

Request body:

{
 "alg": "AES",
 "mode": "Ff1",
 "cipher": "MDEyMzQ1OTEyMDY1MTY4Mg=="
}

The "cipher" field is the base64 encoding of the token. For this example, the cipher received from the previous version was used.

The request-response is:

{
 "kid": "034a9879-8206-4898-bb6e-05e4cb69782d",
 "plain": "MDEyMzQ1Njc4OTEyMzQ1Ng=="
}

The "plain" field is the base64 encoding of the original data. The result of decoding the "plain" field is “0123456789123456”, the original data provided.