It’s been a while since I blogged about tokenization. My last post on the subject drew some interesting comments – and conflicting comments at that: one commenter argued equating tokenization and encryption is bad for tokenization because tokenization is more secure per se. Another, however, commented that it’s in fact bad for encryption because encryption is based on proven algorithms while tokenization is not. Are these indeed contradicting views?
Interestingly enough, both commenters pose valid concerns. This is possible because the first view is based on architecture distinctions while the second is based on algorithm distinctions. In the end, though, tokenization is a form of encryption: the system builds a secret code book that contains the mappings between the plain texts and the cipher texts (or codes). In essence, it’s a symmetric block cipher in ECB mode.
Looking at history, we actually see many crypto systems based on code books. A famous example is the Navajo code talkers used in World War II. A lot of people get hung up on the “but tokenization doesn’t have a key” thing … problem is, it most definitely does have one in the form of the code book. Those that disagree with such large things being called keys must by extension conclude the one time pad isn’t encryption either. An untenable position if you ask me.
So why do I keep banging this drum? IOW, why is it important to acknowledge this? The reason is simple: the security created by a tokenization system is first and foremost dependent on its architecture. Algorithms are of course extremely important, but a the best algorithm in the world simply can’t save a bad protocol / design / implementation. The rules by which tokenization and encryption have to play are identical.
However, there is a problem in practice: the way encryption and tokenization are defined in the PCI DSS, and how they impact PCI scoping as a result of that definition … but more on that in the next post, which will also address the “based on math” argument brought forward in a three-piece vendor counter-argument to my original post.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.