Data Loss Prevention V2 Client - Class CryptoReplaceFfxFpeConfig (1.14.0)

Reference documentation and code samples for the Data Loss Prevention V2 Client class CryptoReplaceFfxFpeConfig.

Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the ReidentifyContent API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/sensitive-data-protection/docs/pseudonymization to learn more.

Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity.

Generated from protobuf message google.privacy.dlp.v2.CryptoReplaceFfxFpeConfig

Namespace

Google \ Cloud \ Dlp \ V2

Methods

__construct

Constructor.

Parameters
Name Description
data array

Optional. Data for populating the Message object.

↳ crypto_key Google\Cloud\Dlp\V2\CryptoKey

Required. The key used by the encryption algorithm.

↳ context Google\Cloud\Dlp\V2\FieldId

The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and unstructured ContentItems. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

↳ common_alphabet int

Common alphabets.

↳ custom_alphabet string

This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/

↳ radix int

The native way to select the alphabet. Must be in the range [2, 95].

↳ surrogate_info_type Google\Cloud\Dlp\V2\InfoType

The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType SurrogateType. This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

getCryptoKey

Required. The key used by the encryption algorithm.

Returns
Type Description
Google\Cloud\Dlp\V2\CryptoKey|null

hasCryptoKey

clearCryptoKey

setCryptoKey

Required. The key used by the encryption algorithm.

Parameter
Name Description
var Google\Cloud\Dlp\V2\CryptoKey
Returns
Type Description
$this

getContext

The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used.

If the context is set but:

  1. there is no record present when transforming a given value or
  2. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and unstructured ContentItems. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that:
  3. a 64 bit integer is encoded followed by a single byte of value 1
  4. a string is encoded in UTF-8 format followed by a single byte of value 2
Returns
Type Description
Google\Cloud\Dlp\V2\FieldId|null

hasContext

clearContext

setContext

The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used.

If the context is set but:

  1. there is no record present when transforming a given value or
  2. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and unstructured ContentItems. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that:
  3. a 64 bit integer is encoded followed by a single byte of value 1
  4. a string is encoded in UTF-8 format followed by a single byte of value 2
Parameter
Name Description
var Google\Cloud\Dlp\V2\FieldId
Returns
Type Description
$this

getCommonAlphabet

Common alphabets.

Returns
Type Description
int

hasCommonAlphabet

setCommonAlphabet

Common alphabets.

Parameter
Name Description
var int
Returns
Type Description
$this

getCustomAlphabet

This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption.

Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/

Returns
Type Description
string

hasCustomAlphabet

setCustomAlphabet

This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption.

Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/

Parameter
Name Description
var string
Returns
Type Description
$this

getRadix

The native way to select the alphabet. Must be in the range [2, 95].

Returns
Type Description
int

hasRadix

setRadix

The native way to select the alphabet. Must be in the range [2, 95].

Parameter
Name Description
var int
Returns
Type Description
$this

getSurrogateInfoType

The custom infoType to annotate the surrogate with.

This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType SurrogateType. This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

Returns
Type Description
Google\Cloud\Dlp\V2\InfoType|null

hasSurrogateInfoType

clearSurrogateInfoType

setSurrogateInfoType

The custom infoType to annotate the surrogate with.

This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType SurrogateType. This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

Parameter
Name Description
var Google\Cloud\Dlp\V2\InfoType
Returns
Type Description
$this

getAlphabet

Returns
Type Description
string