Storing Encryption Domain Identifier (DID)

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

Regardless of what rules applications follow, businesses that choose to store CHD must comply with PCI-DSS Requirement 3.4, mandating the protection of sensitive CHD through approved/industry-standard cryptographic schemes and practices. It is at this point the application will call the SAKA webservice to “encrypt” the PAN.

In order to encrypt any sensitive data, the Foundation services of the SAKA requires the following four parameters:

TABLE 1: Parameters for the Encryption service

#	Parameter	Explanation
1	did	The unique Encryption Domain identifier. This is a numeric integer that logically represents the context within which the data is encrypted and tokenized.
2	username	The username within the encryption domain with the authorization to call this webservice.
3	password	The password of the username to authenticate the credential of the requester.
4	plaintext	The sensitive data that must be encrypted and tokenized.

When the webservice call returns after having completed the encryption and tokenization of sensitive data, the SAKA (in its default configuration) return a 16-digit token. Typically the token resembles the following numbers: 1000000000391711, 2000000000231307, 3000000000170319, etc. depending on the number of SAKA nodes in the Production cluster and the number of encrypted objects already stored in the IDB – the SAKA node with server ID #1 returns tokens that begin with the numeral one (1), the node with server ID #2 returns tokens that begin with the numeral two (2), and so on. The SAKA nodes handle replication between cluster nodes asynchronously in the background, so unless the network between nodes was very slow or non-working, all nodes of the cluster have all transactions within a few seconds/minutes.

Notwithstanding the fact that each node generates a unique token that returns the original sensitive data (regardless of which node is called), it is imperative that the application store the encryption domain identifier (DID) with the token in the ADB. This is because, the SAKA supports the ability to create hundreds of encryption domains on a single appliance (which are like virtual machines on a physical server), and each encryption domain is likely to return similar token numbers (unless the domain was specifically configured to return completely unique tokens across encryption domains).

As such, applications must know which encryption domain to contact when decrypting a token. Calling the wrong domain will either generate incorrect data (if the same credentials exist across domains) or fail to return a response due to invalid credentials. This leads to the first important design consideration when using the SAKA:

Design Consideration #1

The ADB must have a column in its data-schema to store the DID with the tokenized PAN, and the application must be modified to read the DID and send it with the token to the SAKA for decryption, deletion or relay webservices. The ADB should plan on using at least 3 digits for the DID column, unless your environment anticipates having more than 999 encryption domains within a single cluster.

Do not assume that only one application will use the SAKA, and as such, all transactions will default to a single domain; in our experience, due to differing business needs, local laws and increasing sensitivity to the disclosure of even unregulated personally identifiable information (PII), companies are being forced to encrypt/tokenize more than just CHD in e-commerce applications. As such, it is almost certain that companies will need to use multiple encryption domains in the future; planning for it by including the DID in the data-schema will avoid painful modifications to the first application when a second application needs to use the SAKA.

Since the SAKA (in its default configuration) is designed to return the same token for the same CHD no matter how many transactions are performed, the token may now be within all applications in the infrastructure to refer to the CHD. Authorized applications may decrypt the token to retrieve the original CHD when needed.