SlideShare ist ein Scribd-Unternehmen logo

Introduction to Tokenization

N
Nabeel Yoosuf

This presentation provides an introduction to tokenization. It describes what tokenization is, how it implement and also compares it with encryption. Most people try to separate tokenization from encryption. However, it may not really be the case as tokenization could be form of encryption as well.

Technologie
1 von 14
Introduction to Tokenization Prepared by @nabeelxy 8/28/2014
What is tokenization? • Replace a value with a surrogate value called “token” value Tokenize token • Examples Value Token Comment 1344 6423 1231 1521 aX73pQ43T1#+4oxT4 Token consists of alphanumeric values 1344 6423 1231 1521 3124224578918001 Token consists of numeric values only 1344 6423 1231 1521 aX73pQ43T1#+y1521 Token replaces the first 12 digits with a alphanumeric value
Properties of a Good Token • Format and length preserving • Some characteristics may be preserved (e.g. last four digits of CC#s) • Irreversible without some private information (i.e. given a token, it is difficult to find the value) • Distinguishable from the value – If the token is not distinguishable from the value, customers won’t be able to identify sensitive data and apply proper protection mechanisms; further, customers may inadvertently leak sensitive data thinking they are tokens
What is de-tokenization? • The reverse process of finding the actual value from a token token De-tokenize value
Why tokenize? • Reduced risk due to limited exposure of sensitive information (sensitive information is centralized in one location and downstream apps work with tokens) • Reduce the PCI scope (the number of nodes with sensitive data reduces) • Minimal changes to applications to support tokenization (tokenization is format and length preserving)
An Example – Tokenizing CC#s Point of Payment App Sale Tokenization System (2) Tokenize CC (3) Tokenized CC (1) Payment, CC Customer Data Warehouse (4) Tokenized CC Order Processing App CRM App [INTERNET] MERCHANT DATA CENTER (5) Tokenized CC
Single-use vs. Multi-use tokens Single-use token Multi-use token Usually used to represent a single transaction Usually used to represent a unique value (for example, CC#), usually used across multiple transactions A given value, it may map to multiple tokens Token maps to a unique value within the tokenization system Short lived Long lived
How to Generate Tokens? • Use a mathematically reversible cryptographic function (e.g. Format Preserving Encryption) • Use a one-way non-reversible cryptographic function (e.g. a hash function such as SHA-2) • Static tables mapping values to random tokens (tokens are not mathematically derived from values)
Tokenization Process
De-tokenization Process
How to manage tokens? • Two options – In-house – Third-party service provider • In-house tokenization server – Company owns and operates the token system and token database – The token server stores the original sensitive data – Usually used by large companies who wants to keep sensitive data • Third-party tokenization server (TaaS – Tokenization as a Service) – Third-party service providers generate tokens and give to companies – Usually used by small companies who do not want actual sensitive data – E.g. In CC transactions, the payment processor generates a token and gives only the token to merchant for future references (e.g.: recurring fees, refund, etc.) – sacrifice control and pay higher tax fee in exchange for convenience, reduced liability and cheaper PCI compliance.
Tokenization vs. Encryption Tokenization Encryption Output is format and length preserving Output is not generally format or length preserving (e.g. AES, RSA) (exception – FPE – Format Preserving Encryption, OPE – Order Preserving Encryption) May or may not use encryption as the mapping function (could use a hash function or a static mapping table) Encryption does not have any using tokenization internally Out is may or may not be reversible Output is always reversible given the key Regulatory compliance – PCI DSS Regulatory compliance – Safe Harbor, HIPAA A main use case is to reduce PCI scope by passing tokens to downstream applications A main use case is to ensure the confidentiality of data at rest (even if the storage media is compromised to lost, attackers are not able to see the actual data as they don’t have the keys)
How Tokenization is currently Used in the corporate market? • Use tokenization to replace sensitive data such as CC# with random numbers (3rd method of tokenization mentioned earlier) • Keep the sensitive data encrypted in a database • Since tokens preserve the length and format, changes to applications is minimal • The sensitive data is exposed only when it is necessary; otherwise, apps work with the tokens
References • PCI DSS Tokenization Guidelines, 2011

Empfohlen

Tokenization
TokenizationTokenization
TokenizationPavel Kravchenko, PhD
 
Blockchain consensus algorithms
Blockchain consensus algorithmsBlockchain consensus algorithms
Blockchain consensus algorithmsAnurag Dashputre
 
Blockchain and Bitcoin
Blockchain and BitcoinBlockchain and Bitcoin
Blockchain and BitcoinHugo Rodrigues
 
Cryptocurrency
CryptocurrencyCryptocurrency
CryptocurrencyRohit Kumar Kashyap
 
Consensus Algorithms.pptx
Consensus Algorithms.pptxConsensus Algorithms.pptx
Consensus Algorithms.pptxRajapriya82
 
Blockchain Security and Privacy
Blockchain Security and PrivacyBlockchain Security and Privacy
Blockchain Security and PrivacyAnil John
 
Blockchain Essentials and Blockchain on Azure
Blockchain Essentials and Blockchain on AzureBlockchain Essentials and Blockchain on Azure
Blockchain Essentials and Blockchain on AzureNuri Cankaya
 
Introduction to cryptography and types of ciphers
Introduction to cryptography and types of ciphersIntroduction to cryptography and types of ciphers
Introduction to cryptography and types of ciphersAswathi Nair
 

Empfohlen

Tokenization
TokenizationTokenization
TokenizationPavel Kravchenko, PhD
 
Blockchain consensus algorithms
Blockchain consensus algorithmsBlockchain consensus algorithms
Blockchain consensus algorithmsAnurag Dashputre
 
Blockchain and Bitcoin
Blockchain and BitcoinBlockchain and Bitcoin
Blockchain and BitcoinHugo Rodrigues
 
Cryptocurrency
CryptocurrencyCryptocurrency
CryptocurrencyRohit Kumar Kashyap
 
Consensus Algorithms.pptx
Consensus Algorithms.pptxConsensus Algorithms.pptx
Consensus Algorithms.pptxRajapriya82
 
Blockchain Security and Privacy
Blockchain Security and PrivacyBlockchain Security and Privacy
Blockchain Security and PrivacyAnil John
 
Blockchain Essentials and Blockchain on Azure
Blockchain Essentials and Blockchain on AzureBlockchain Essentials and Blockchain on Azure
Blockchain Essentials and Blockchain on AzureNuri Cankaya
 
Introduction to cryptography and types of ciphers
Introduction to cryptography and types of ciphersIntroduction to cryptography and types of ciphers
Introduction to cryptography and types of ciphersAswathi Nair
 
Blockchain, cryptography, and consensus
Blockchain, cryptography, and consensusBlockchain, cryptography, and consensus
Blockchain, cryptography, and consensusITU
 
Ethereum in a nutshell
Ethereum in a nutshellEthereum in a nutshell
Ethereum in a nutshellDaniel Chan
 
Ethereum
EthereumEthereum
EthereumNexThoughts Technologies
 
Risk on Crypto Currencies
Risk on Crypto CurrenciesRisk on Crypto Currencies
Risk on Crypto CurrenciesSylvain Martinez
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Blockchain Consensus Protocols
Blockchain Consensus ProtocolsBlockchain Consensus Protocols
Blockchain Consensus ProtocolsMelanie Swan
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationsarhadisoftengg
 
Bitcoin & Bitcoin Mining
Bitcoin & Bitcoin MiningBitcoin & Bitcoin Mining
Bitcoin & Bitcoin MiningAbdullah Khan Zehady
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to BlockchainJordan Harris
 
Smart contracts
Smart contractsSmart contracts
Smart contractsPhilippe Camacho, Ph.D.
 
Understanding Blockchain
Understanding BlockchainUnderstanding Blockchain
Understanding BlockchainOgilvy Consulting
 
Network Layer design Issues.pptx
Network Layer design Issues.pptxNetwork Layer design Issues.pptx
Network Layer design Issues.pptxAcad
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Understanding Blockchain Security
Understanding Blockchain SecurityUnderstanding Blockchain Security
Understanding Blockchain SecurityITU
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)Omar Ghazi
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
Ethereum-Cryptocurrency (All about Ethereum)
Ethereum-Cryptocurrency (All about Ethereum) Ethereum-Cryptocurrency (All about Ethereum)
Ethereum-Cryptocurrency (All about Ethereum) عطاءالمنعم اثیل شیخ
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
Cryptocurrency seminar topic presentation using MSWord.
Cryptocurrency seminar topic presentation using MSWord.Cryptocurrency seminar topic presentation using MSWord.
Cryptocurrency seminar topic presentation using MSWord.Mohd Faiz
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 

Weitere ähnliche Inhalte

Was ist angesagt?

Blockchain, cryptography, and consensus
Blockchain, cryptography, and consensusBlockchain, cryptography, and consensus
Blockchain, cryptography, and consensusITU
 
Ethereum in a nutshell
Ethereum in a nutshellEthereum in a nutshell
Ethereum in a nutshellDaniel Chan
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Blockchain Consensus Protocols
Blockchain Consensus ProtocolsBlockchain Consensus Protocols
Blockchain Consensus ProtocolsMelanie Swan
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationsarhadisoftengg
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to BlockchainJordan Harris
 
Network Layer design Issues.pptx
Network Layer design Issues.pptxNetwork Layer design Issues.pptx
Network Layer design Issues.pptxAcad
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Understanding Blockchain Security
Understanding Blockchain SecurityUnderstanding Blockchain Security
Understanding Blockchain SecurityITU
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)Omar Ghazi
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 
Cryptocurrency seminar topic presentation using MSWord.
Cryptocurrency seminar topic presentation using MSWord.Cryptocurrency seminar topic presentation using MSWord.
Cryptocurrency seminar topic presentation using MSWord.Mohd Faiz
 

Was ist angesagt? (20)

Blockchain, cryptography, and consensus
Blockchain, cryptography, and consensusBlockchain, cryptography, and consensus
Blockchain, cryptography, and consensus
 
Ethereum in a nutshell
Ethereum in a nutshellEthereum in a nutshell
Ethereum in a nutshell
 
Ethereum
EthereumEthereum
Ethereum
 
Risk on Crypto Currencies
Risk on Crypto CurrenciesRisk on Crypto Currencies
Risk on Crypto Currencies
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
Blockchain Consensus Protocols
Blockchain Consensus ProtocolsBlockchain Consensus Protocols
Blockchain Consensus Protocols
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
 
Bitcoin & Bitcoin Mining
Bitcoin & Bitcoin MiningBitcoin & Bitcoin Mining
Bitcoin & Bitcoin Mining
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to Blockchain
 
Smart contracts
Smart contractsSmart contracts
Smart contracts
 
Understanding Blockchain
Understanding BlockchainUnderstanding Blockchain
Understanding Blockchain
 
Network Layer design Issues.pptx
Network Layer design Issues.pptxNetwork Layer design Issues.pptx
Network Layer design Issues.pptx
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
 
Understanding Blockchain Security
Understanding Blockchain SecurityUnderstanding Blockchain Security
Understanding Blockchain Security
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
 
Ethereum-Cryptocurrency (All about Ethereum)
Ethereum-Cryptocurrency (All about Ethereum) Ethereum-Cryptocurrency (All about Ethereum)
Ethereum-Cryptocurrency (All about Ethereum)
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Cryptocurrency seminar topic presentation using MSWord.
Cryptocurrency seminar topic presentation using MSWord.Cryptocurrency seminar topic presentation using MSWord.
Cryptocurrency seminar topic presentation using MSWord.
 

Ähnlich wie Introduction to Tokenization

Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
IRJET- Improved Vault based Tokenization to Boost Vault Lookup PerformanceIRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
IRJET- Improved Vault based Tokenization to Boost Vault Lookup PerformanceIRJET Journal
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptx
PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptxPyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptx
PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptxnmeyen
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Zach Gardner
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and FriendsHITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and FriendsMerchant Link
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionUlf Mattsson
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
 
Securing Sensitive IBM i Data At-Rest and In-Motion
Securing Sensitive IBM i Data At-Rest and In-MotionSecuring Sensitive IBM i Data At-Rest and In-Motion
Securing Sensitive IBM i Data At-Rest and In-MotionPrecisely
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
Block chains and crypto currencies - introduction
Block chains and crypto currencies - introductionBlock chains and crypto currencies - introduction
Block chains and crypto currencies - introductionInitio
 

Ähnlich wie Introduction to Tokenization (20)

Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
IRJET- Improved Vault based Tokenization to Boost Vault Lookup PerformanceIRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptx
PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptxPyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptx
PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptx
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?
 
Tokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelTokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - Intel
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and FriendsHITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Wireless LAN Security Fundamentals
Wireless LAN Security FundamentalsWireless LAN Security Fundamentals
Wireless LAN Security Fundamentals
 
Internet .ppt
Internet .pptInternet .ppt
Internet .ppt
 
Securing Sensitive IBM i Data At-Rest and In-Motion
Securing Sensitive IBM i Data At-Rest and In-MotionSecuring Sensitive IBM i Data At-Rest and In-Motion
Securing Sensitive IBM i Data At-Rest and In-Motion
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
Block chains and crypto currencies - introduction
Block chains and crypto currencies - introductionBlock chains and crypto currencies - introduction
Block chains and crypto currencies - introduction
 

Mehr von Nabeel Yoosuf

Building RESTful Applications
Building RESTful ApplicationsBuilding RESTful Applications
Building RESTful ApplicationsNabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
Privacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsPrivacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsNabeel Yoosuf
 
Efficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsEfficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsNabeel Yoosuf
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
Efficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDEfficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDNabeel Yoosuf
 
Pub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyPub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyNabeel Yoosuf
 
A Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsA Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsNabeel Yoosuf
 

Mehr von Nabeel Yoosuf (12)

Building RESTful Applications
Building RESTful ApplicationsBuilding RESTful Applications
Building RESTful Applications
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
API Façade Pattern
API Façade PatternAPI Façade Pattern
API Façade Pattern
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
 
Privacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsPrivacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management Systems
 
Efficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsEfficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systems
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
 
Efficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDEfficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDD
 
Pub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyPub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/Privacy
 
A Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsA Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML Documents
 

Kürzlich hochgeladen

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Kürzlich hochgeladen (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 

Introduction to Tokenization

  • 1. Introduction to Tokenization Prepared by @nabeelxy 8/28/2014
  • 2. What is tokenization? • Replace a value with a surrogate value called “token” value Tokenize token • Examples Value Token Comment 1344 6423 1231 1521 aX73pQ43T1#+4oxT4 Token consists of alphanumeric values 1344 6423 1231 1521 3124224578918001 Token consists of numeric values only 1344 6423 1231 1521 aX73pQ43T1#+y1521 Token replaces the first 12 digits with a alphanumeric value
  • 3. Properties of a Good Token • Format and length preserving • Some characteristics may be preserved (e.g. last four digits of CC#s) • Irreversible without some private information (i.e. given a token, it is difficult to find the value) • Distinguishable from the value – If the token is not distinguishable from the value, customers won’t be able to identify sensitive data and apply proper protection mechanisms; further, customers may inadvertently leak sensitive data thinking they are tokens
  • 4. What is de-tokenization? • The reverse process of finding the actual value from a token token De-tokenize value
  • 5. Why tokenize? • Reduced risk due to limited exposure of sensitive information (sensitive information is centralized in one location and downstream apps work with tokens) • Reduce the PCI scope (the number of nodes with sensitive data reduces) • Minimal changes to applications to support tokenization (tokenization is format and length preserving)
  • 6. An Example – Tokenizing CC#s Point of Payment App Sale Tokenization System (2) Tokenize CC (3) Tokenized CC (1) Payment, CC Customer Data Warehouse (4) Tokenized CC Order Processing App CRM App [INTERNET] MERCHANT DATA CENTER (5) Tokenized CC
  • 7. Single-use vs. Multi-use tokens Single-use token Multi-use token Usually used to represent a single transaction Usually used to represent a unique value (for example, CC#), usually used across multiple transactions A given value, it may map to multiple tokens Token maps to a unique value within the tokenization system Short lived Long lived
  • 8. How to Generate Tokens? • Use a mathematically reversible cryptographic function (e.g. Format Preserving Encryption) • Use a one-way non-reversible cryptographic function (e.g. a hash function such as SHA-2) • Static tables mapping values to random tokens (tokens are not mathematically derived from values)
  • 11. How to manage tokens? • Two options – In-house – Third-party service provider • In-house tokenization server – Company owns and operates the token system and token database – The token server stores the original sensitive data – Usually used by large companies who wants to keep sensitive data • Third-party tokenization server (TaaS – Tokenization as a Service) – Third-party service providers generate tokens and give to companies – Usually used by small companies who do not want actual sensitive data – E.g. In CC transactions, the payment processor generates a token and gives only the token to merchant for future references (e.g.: recurring fees, refund, etc.) – sacrifice control and pay higher tax fee in exchange for convenience, reduced liability and cheaper PCI compliance.
  • 12. Tokenization vs. Encryption Tokenization Encryption Output is format and length preserving Output is not generally format or length preserving (e.g. AES, RSA) (exception – FPE – Format Preserving Encryption, OPE – Order Preserving Encryption) May or may not use encryption as the mapping function (could use a hash function or a static mapping table) Encryption does not have any using tokenization internally Out is may or may not be reversible Output is always reversible given the key Regulatory compliance – PCI DSS Regulatory compliance – Safe Harbor, HIPAA A main use case is to reduce PCI scope by passing tokens to downstream applications A main use case is to ensure the confidentiality of data at rest (even if the storage media is compromised to lost, attackers are not able to see the actual data as they don’t have the keys)
  • 13. How Tokenization is currently Used in the corporate market? • Use tokenization to replace sensitive data such as CC# with random numbers (3rd method of tokenization mentioned earlier) • Keep the sensitive data encrypted in a database • Since tokens preserve the length and format, changes to applications is minimal • The sensitive data is exposed only when it is necessary; otherwise, apps work with the tokens
  • 14. References • PCI DSS Tokenization Guidelines, 2011