Using the PSN as the Token

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

The PSN is a simple concept. During new domain creation, you must choose the starting value of the PSN and the number of digits you want to use for your PSN. By default, SAKA is configured to use 16 digits as the PSN (to accommodate credit card numbers) and the starting value defaults to 1000000000000001 for server ID #1, 2000000000000001 for server ID #2 and so on. The New-Domain-Setup-Wizard.sh script that sets up new encryption domains in SAKA allows specification of the number of digits in the PSN and the starting number for each server of the cluster. Once specified, it is not a good idea to change it. It will be less complicated to create a new encryption domain with custom token numbers and write a small batch program to decrypt the old tokens; then re-encrypt them in the new encryption domain while updating your database with the new domain ID and token numbers.

By using PSNs, after the SAKA has completed encrypting the plaintext with the DEK and generated an HMAC with the DHK, it creates a new PSN for the object based on configured parameters, and returns the PSN to the calling application.

The advantage of using the PSN is that it never changes. The same PSN, regardless of the DEK or the DHK, will always result in the same plaintext as long as PSNs are used from the beginning when SAKA goes into production. Authorized applications that store the PSN as the token never need change the token value and can always call upon SAKA to return the original plaintext, regardless of how many key rotations have taken place between the initial encryption and decryption transactions.

This is because, when SAKA receives a new encryption request, even before it encrypts the data, it calculates the HMAC of the plaintext with the current DHK and checks to see if the internal database already has the HMAC stored in it. If it does exist, based on the value of tokentype, it returns either the HMAC or the PSN without doing any further processing. No duplicate record is created, but the fact that the request was found in the database is logged in the server's log file. Authorized applications do not see any difference in their request processing whether the value exists in the database or not—they always get back a token.

When the DEK and DHK change, the new ciphertext and HMAC values are calculated and stored in the internal database, but the PSN does not change. This allows applications to continue using the PSN to request decryption services from SAKA and get the same plaintext regardless of which DEK or DHK is in use at the current time.

NOTE: It is strongly recommended that sites always use the PSN even if they believe they will never store objects past the end of a calendar year. Business requirements may change, but by using the PSN from the start, applications will not have to change due to the new requirement.

The appliance also has the ability to issue tokens that conform to the Luhn algorithm¹. This allows tokens to be used within application that check for conformance to the Luhn algorithm. This can be enabled by configuring the strongkeylite.cfg.property.luhntokens property to be true; this can be done on at the level of the encryption domain, so one domain may be using Luhn-conformant tokens while others need not. It is necessary to restart the Payara application server before this property goes into effect. It is also recommended that this property be turned on immediately after creating the encryption domain to ensure that tokens are generated that conform to this specification.

NOTE: It is possible to store a significant number of unique PSNs for credit card numbers (hardware capacity permitting), given that startvalue for the PSN is 1000000000000001 by default; almost one quadrillion (1,000,000,000,000,000) unique credit card numbers can be stored. If this isn't enough, it is possible to create additional encryption domains and use startvalue all over again, thus creating almost infinite capacity. Since the Domain ID is a required piece of information in all SAKA web requests, SAKA knows from which encryption domain to retrieve the value. Of course, to avoid having to change database schemas if they choose to add additional encryption domains in the future, applications must store the unique Domain ID in their database with the token.