luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Document and give an example of the input size limits when using the FF3-1 transform. (#9151) 

* Document and give an example of the input size limits when using the FF3-1
transform.
This commit is contained in:
Scott Miller 2020-06-05 07:45:18 -05:00 committed by GitHub
parent fdba917b66
commit f8f4ae4ab2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
website/pages/docs/secrets/transform/index.mdx
View File

@ -170,6 +170,35 @@ In summary, there are three ways in which the tweak value may be sourced:
Your team and organization should weigh in on the trade-offs when it comes to
choosing the proper tweak source to use.
#### Input Limits
FF3-1 specifies both minimum and maximum limits on the length of an input.
These limits are driven by the security goals, making sure that for a given
alphabet the input size does not leave the input guessable by brute force.
Given an alphabet of length A, an input length L is valid if:
* L >= 2,
* A^L >= 1,000,000
* and L <= 2 * floor(log<sub>A</sub>(2^96)).
As a concrete example, for handling credit card numbers, A is 10, L is 16, so
valid input lengths would be between 6 and 56 characters. This is because
10^6=1,000,000 (already greater than 2), and 2 * floor(log<sub>10</sub>(2^96)) = 56.
Of course, in the case of credit card numbers valid input would always be 16
decimal digits.
#### Output Limitations
After transformation and formatting by the template, the value is an encrypted
version of the input with the format preserved. However, the value itself may
be *invalid* with respect to other standards. For example the output credit card
number may not validate (it likely won't create a valid check digit).
So one must consider when the outputs are stored whether validation in storage
may reject them.
### Masking
Masking performs replacement of matched characters on the input value with a
@ -221,6 +250,8 @@ The following builtin alphabets are available for use in the secret engine:
- builtin/alphanumericupper
- builtin/alphanumeric
Custom alphabets must contain between 2 and 65536 unique characters.
## Learn
Refer to the [Transform Secrets Engine](https://learn.hashicorp.com/vault/adp/transform) guide for a step-by-step tutorial.