How to Encrypt Data Using Machina Tools

Whether you’re a software development team lead at a prestigious financial institution assigned to redact personally identifiable information (PII) before releasing the next bankruptcy report, or your development shop has just been contracted by a large healthcare organization to help update their systems to meet HIPAA requirements, chances are you’ve been asked to obfuscate sensitive data.

Protecting sensitive data is not an uncommon requirement when building applications. In a recent survey, 71% of companies indicated they utilized encryption for some of their data in transit, and 53% utilized encryption for some of their data in storage.

If you’re one of these developers, you’re looking at crypto libraries to solve the problem. There are a lot of crypto libraries out there, so what differentiates the Ionic platform?

  1. Key management. Well-known cryptographer, Bruce Schneier, wrote “The security of an algorithm rests in the key. If you’re using a cryptographically weak process to generate keys, then your entire system is weak.” As the team’s lead, you don’t want to invest resources in building your own KMS, especially when that could become the weak link in securing sensitive data.
  2. Policy to control access. The Ionic SDKs enable developers to control access using a consistent policy framework. Describe your data using key attributes and then your data is protected throughout the lifecycle. The Ionic platform allows you to control access in real time using a consistent policy framework.

Developers can get all of these features free. With no background in cryptography, you can quickly and confidently add data protection and management to your application.

HOW DOES IT WORK?

Using the Ionic SDKs, you can generate a key, encrypt and protect your data, and return the results to your application using a single call, like so:

cipher = ionicsdk.ChunkCipherAuto(agent)

Here, ChunkCipherAuto() calls an instance of our Agent class, handles the key create and key fetch and encrypts the payload using standard AES-256 encryption, all without having to create and fetch keys. Super easy, right?

Getting Started with the Ionic SDKs

Before moving on, let’s test that. Getting started with the Ionic SDKs is equally easy. Simply,

  1. Create an account on dev.ionic.com
  2. Download Ionic tools and create a profile on your local device
  3. Install your SDK of choice (JavaScript, Python, Java, C# or C/C++)
  4. Run “Hello, World.”

Congratulations, you’ve just encrypted and decrypted your first string. In this case, we didn’t even need to create a key. The SDK manages the entire process for us.

WORKING WITH DATA PROTECTION KEYS

Quick encrypt/decrypt is great when you need to encrypt data like a file, string or an object. But what if you wanted to set the encryption algorithm, or encrypt parts of a record in a CSV file or a field in a database record? The strategy here is to create encryption keys to protect each data set (like a column) or even individual pieces of data. With a key management system at your disposal, you can create as many keys as you want. As you’ll see in a moment, you can  describe the specific data you are protecting using “key attributes,” then create policy rules to allow access based on attribute values.

First, let’s create a simple encryption key. Again, the Ionic SDKs allow you to do this in your language of choice. For example, in Python you can create a new data-protection key by invoking a createkey() method like so:

my_shiny_key = agent.createkey()

You can also generate multiple keys and dole them out as needed.

my_list_of_keys = agent.createkeys()

Don’t worry, I’ll put this all together in a moment.

Access Control Using Policy

Now that your application can protect data, how do you manage who can access that data, when and under what conditions?  This is actually what differentiates the Ionic platform from other key management solutions. The SDK allows you to create data protection keys and assign attributes to those keys. These attributes are programmer defined and can be associated with policy rules residing on the Ionic platform. Those policies are centralized, so an Admin can update them, and my application doesn’t have to account for the changes. You’ve effectively separated policy from your application,

For example, you could define an attribute and value pair, “sensitivity-level : confidential.” That attribute-value pair acts as metadata that describes the encrypted data. You can read that attribute without decrypting the package, and you can introduce program logic to manage the payload without decrypting the actual data. Meaning you don’t have to embed policy decisions into your application.

First, I’ll assign an attribute-value pair to a string variable:

mutable_attributes=”sensitivity-level, confidential”

Notice that I’ve named this variable “mutable_attributes.” Mutable attributes are attributes with values that can be updated. For example, we could increase the sensitivity-level to “highly restricted.” The Ionic platform also supports fixed attributes. which are immutable. A timestamp for the key create, for example, does not change. This is established upon key creation.

Now let’s create a new key and attach the attributes defined earlier.

my_shiny_key = agent.createkey(attributes=none, mutableAttributes=mutable_attributes)

I haven’t assigned a fixed attribute because the timestamp for createkey() is already tracked by the Ionic platform.

Now within Ionic, policy rules defined by your organization will know how, when and under what conditions data protected by this key can be accessed. When an application attempts to access data protected by this key, these policy rules will be evaluated and a decision will be made to release or not.

Putting it Together

In order to focus on encryption and key management, I’ve glossed over device registration, profile management and authentication. The SDK tutorials at dev.ionic.com will walk you through these steps in any of the languages supported by the SDK Here, I’ll just show snippets of Python code.

This example creates a key, fetches the key from the key server and updates it. First let’s define some key attributes.

# define fixed attributes
fixed_attributes = {"data-type": ["Finance"], "region": ["North America"]}

# define mutable attributes
mutable_attributes = {"classification": ["Restricted"], "designated_owner": ["[email protected]"]}

Now we can create the key and attach the attributes. Note the SDK also passes error codes for failed attempts.

# create new key with fixed and mutable attributes

try:

created_key = agent.createkey(attributes=fixed_attributes, mutableAttributes=mutable_attributes)

except ionicsdk.exceptions.IonicException as e:

print("Error creating a key: {0}".format(e.message))
sys.exit(-2)

The Ionic platform returns a key ID along with the key and key attributes. You can access them like so:

# display new key

print("\nNEW KEY:")
print("KeyId        : " + created_key.id)
print("KeyBytes     : " + binascii.hexlify(created_key.bytes))
print("FixedAttrs   : " + json.dumps(created_key.attributes))

Now we can fetch the key, update its attributes and store the results back on the key server. The tutorial mentioned above walks you through each step.

SUMMARY

Using the Ionic platform and Ionic SDKs makes it easy to introduce crypto into your applications without the need to change program logic. As a developer you can control data access using a consistent policy framework, and you get full visibility into all attempts to access protected data. You can build secure apps with no background in cryptography, and you can do all of this with just a few lines of code.