Encryption Properties - IV, CRC, Key ID
The encryption properties include Initialization Vector (IV), Integrity Check (CRC), and Key ID.
For encrypting Unstructured Data using File Protector, you can enable the Key ID property in the encryption data element to be used with unstructured policy.
The following table describes encryption properties.
Table: Encryption Properties
| Feature | Description |
|---|---|
| Initialization Vector (IV) | Encrypting the same value with the IV property will result in different crypto text for the same value. |
| Integrity Check (CRC) | A type of function that takes as input a data stream of any length and produces as output a value of a certain fixed size. A CRC can be used as a checksum to detect alteration of data during transmission or storage. |
| Key ID | A Key ID is an identifier that associates encrypted data with the protection method so that the data can be decrypted regardless of where it ultimately resides. A data element can have multiple instances of key IDs associated with it. When the Key ID property is turned on there will be an extra 2 bytes in the beginning of the cipher text. This piece of information contains the reference to the Key ID that was used to produce the cipher text. Caution: It is recommended not to create a large number of keys. All Data Encryption Keys (DEKs) are generated and decrypted using the configured Key Store. This process might take some time and incur costs. |
Key IDs
Key IDs are a way to correlate a data element key with its encrypted data. Data elements can have multiple key IDs associated with them. The Key IDs facilitate tasks related to the management of sensitive data such as archiving and key rotation. It is important to note that you can create a maximum number of 8191 keys.
Caution: It is recommended not to create a large number of keys. All Data Encryption Keys (DEKs) are generated and decrypted using the configured Key Store. This process might take some time and incur costs.
The following table describes the key ID states.
Table: Key ID States
| Feature | Description |
|---|---|
| Pre-Active | The initial state of a key that is created by the Create Key option. |
| Active | A key becomes Active once it is distributed to a protector by deploying the data security policy. |
| Deactivated | An Active key becomes automatically Deactivated when the data security policy is redeployed with a new Pre-Active key. |
For more information about key ID states, refer to Working with Keys.
Table: Examples of Encryption Properties for AES-256 algorithm (initial value is “Protegrity”)
| Encryption Property | Encrypted Values | Comments |
|---|---|---|
| AES-256-IV | 0x1361D69E18A692507895780C2FB26DD7869979CC1BB6612A994B5EA5585FCF0B 0xE2D579E937EE92C67167749151B30809A538CC6A6871B8D9B0C17FBA6F1A8D94 | Encrypting the same value with the IV property resulted in different output values. Decrypt will be performed correctly for both values. |
| AES-256-CRC | 0x7A0C701B4B30E6BF141196FE44F125BD 0x3964DD0ACAF5B39D159BE7518B46D84A8DCC0B62F2183B3888FEF82B65C7F87D | The first value is a result of encryption of “Protegrity1” along with a CRC checksum of 4-bytes. The resulting input is 15-bytes which fit a single AES block. The second value is a result of encryption of “Protegrity12” along with a CRC checksum of 4-bytes. The resulting input is 16-bytes which requires two AES blocks. |
| AES-256-KeyID | 0x200936F85C3BD86F008A57C3DF33F200BC42 0x20157C0E98A1C9E4E6F4D1DCB6FE72B2DA69 | Key ID of the first value equals to 9 (0x2009 in HEX), key ID of the second value equals to 21 (0x2015 in HEX). |
Key IDs in Protectors
For all protectors, the Key IDs can only be used with data elements that use AES, CUSP, or 3DES algorithms. The Key ID is included in the encrypted value.
For more information on the format of encrypted data, refer to Data Length and Padding in Encryption.
Feedback
Was this page helpful?