Hashing
A hash function produces a small number that serves as a digital fingerprint of the data. The resulting number is relatively small. The algorithm “chops and mixes” data to create fingerprints. For example, it substitutes or transposes the data.
Protegrity offers two different algorithms for creating hash values:
- The Hashed Message Authentication Code with SHA-256 (HMAC-SHA256) algorithm returns a 256 bit - 32 bytes hash value for any data.
- The HMAC-SHA1 algorithm returns a 160 bit - 20 bytes hash value for any data.
Deprecated
Starting from v10.0.x, the HMAC-SHA1 protection method is deprecated.
It is recommended to use the HMAC-SHA256 protection method instead of the HMAC-SHA1 protection method.
Hashing is utilized to transform sensitive data. HMAC-SHA1 and HMAC-SHA256 are specific hashing methods used for this purpose. Transformed data, which is the result of hashing, is irreversible as it is replaced with a checksum and not stored anywhere as an encrypted value. Unlike encryption, the original data can’t be retrieved back from the hashed value.
Table: Hashing Protection Algorithm Properties
Properties | Keyed Hash Algorithm | |
HMAC-SHA1 | HMAC-SHA256 | |
Operation Mode | N/A | N/A |
Encryption Properties - IV, CRC, Key ID | No | N/A |
Length Preservation with padding formula for non-length preserving algorithms | No Result is always 20 bytes regardless of input length. | No Result is always 32 bytes regardless of input length. |
Minimum Length | None | None |
Maximum Length | ≥ 500 bytes | ≥ 500 bytes |
Input type / Character set | Vary across DBs | Vary across DBs |
Output type / Character set | Binary | Binary |
Return of Protected value | No | No |
Specifics of algorithm | Irreversible protection method. Original data is replaced with a checksum and cannot be retrieved back, when decrypted. | Irreversible protection method. Original data is replaced with a checksum and cannot be retrieved back, when decrypted. |
The following table shows examples of the way in which a value will be replaced with the HMAC-SHA1 / HMAC-SHA256 hashing type.
Table: HMAC-SHA1 / HMAC-SHA256 Hashing Output Values
| Protection Method | Input Value | Output Value | Comments |
|---|---|---|---|
| HMAC-SHA1 | Protegrity | 0x5855682AB16B3C818C33CCA382B0F32A00EC2915 | Output value cannot be decrypted. |
| HMAC-SHA256 | Protegrity | 0x9EE0CD797365EA5E2A76DC6663E98D0147CAE004DE0D5E0D7F2730E7F9BF165A | Output value cannot be decrypted. |
Hashing for Protectors
Application Protector
Table: Supported Input Data Types by Application Protectors
| Protection Method | AP Java*1 | AP Python |
|---|---|---|
| HMAC-SHA1 | FLOAT DOUBLE STRING CHAR[] BYTE[] | STRING BYTES |
*1 - If the input and output types of the API are BYTE [], the customer application should convert the input to a byte array. Then, call the API and convert the output from the byte array.
For more information about Application protectors, refer to Application Protector.
Big Data Protector
Table: Supported Input Data Types for Big Data Protectors
| Protection Method*1 | MapReduce | Hive | Pig | HBase | Impala | Spark | Spark SQL | Trino |
|---|---|---|---|---|---|---|---|---|
| HMAC-SHA1 | BYTE[] | Not supported | Not supported | BYTE[] | Not supported | BYTE[] | Not supported | Not supported |
| HMAC-SHA256 | BYTE[] | Not supported | Not supported | BYTE[] | Not supported | BYTE[] | Not supported | Not supported |
*1 – The customer application should convert the input to and output from byte array.
For more information about Big Data protectors, refer to Big Data Protector.
Data Warehouse Protector
Table: Supported Input Data Types for Data Warehouse Protectors
| Protection Method | Teradata |
|---|---|
| HMAC-SHA1 | VARCHAR INTEGER FLOAT |
| HMAC-SHA256 | VARCHAR INTEGER FLOAT |
Database Protectors
Oracle Database Protector
The supported input data types for the Oracle Database Protector are listed below.
| Protection Method | Supported Input Data Types |
|---|---|
| HMAC-SHA1 | VARCHAR2 |
| HMAC-SHA1 | CHAR |
| HMAC-SHA256 | VARCHAR2 |
| HMAC-SHA256 | CHAR |
Feedback
Was this page helpful?