Masking and Obfuscation
Masking and Anonymization of Data in Motion
To mask patterns in real time, we use the out-of-the-box Mask Function . This is similar to sed, but with much more powerful functionality.
Masking Capabilities
The Mask Function accepts multiple replacement rules, and accepts multiple fields to apply them to.
Match Regex is a JS regex pattern that describes the content to be replaced. It can optionally contain matching groups. By default, it will stop after the first match, but using /g will make the Function replace all matches.
Replace Expression is a JS expression or literal to replace matched content.
Matching groups can be referenced in the Replace Expression as g1, g2… gN, and the entire match as g0.
There are several masking methods that are available under C.Mask.:
C.Mask.random: Generates a random alphanumeric string
C.Mask.repeat: Generates a repeating char/string pattern, e.g., XXXX
C.Mask.REDACTED: The literal ‘REDACTED’
C.Mask.md5: Generates a MD5 hash of given value
C.Mask.sha1: Generates a SHA1 hash of given value
C.Mask.sha256: Generates a SHA256 hash of given value
Almost all methods have an optional len parameter which can be used to control the length of the replacement. len can be either a number or string. If it’s a string, its length will be used. For example:
Masking Examples
Let’s look at the various ways that we can mask a string like this one: cardNumber=214992458870391. The Regex Match we’ll use is: /(cardNumber=)(\d+)/g. In this example:
g0=cardNumber=214992458870391g1=cardNumber=g2=214992458870391
Random Masking with default character length (4):
- Replace Expression:
`${g1}${C.Mask.random()}` - Result:
cardNumber=HRhc
Random Masking with defined character length:
- Replace Expression:
`${g1}${C.Mask.random(7)}` - Result:
cardNumber=neNSm8r
Random Masking with length preserving replacement:
- Replace Expression:
`${g1}${C.Mask.random(g2)}` - Result:
cardNumber=DroJ73qmyaro51u3
Repeat Masking with default character length (4):
- Replace Expression:
`${g1}${C.Mask.repeat()}` - Result: Result:
cardNumber=XXXX
Repeat Masking with defined character choice and length:
- Replace Expression:
`${g1}${C.Mask.repeat(6, 'Y')}` - Result:
cardNumber=YYYYYY
Repeat Masking with length preserving replacement:
- Replace Expression:
`${g1}${C.Mask.repeat(g2)}` - Result:
cardNumber=XXXXXXXXXXXXXXX
Literal REDACTED masking:
- Replace Expression:
`${g1}${C.Mask.REDACTED}` - Result:
cardNumber=REDACTED
Hash Masking (applies to: md5, sha1 and sha256):
- Replace Expression:
`${g1}${C.Mask.md5(g2)}` - Result:
cardNumber=f5952ec7e6da54579e6d76feb7b0d01f
Hash Masking with left N-length* substring (applies to: md5, sha1 and sha256):
- Replace Expression:
`${g1}${C.Mask.md5(g2, 12)}` - Result:
cardNumber=d65a3ddb2749*Replacement length will not exceed that of the hash algorithm output; MD5: 32 chars, SHA1: 40 chars, SHA256: 64 chars.
Hash Masking with right N-length* substring (applies to: md5, sha1 and sha256):
- Replace Expression:
`${g1}${C.Mask.md5(g2, -12)}` - Result:
cardNumber= 933bfcebf992*Replacement length will not exceed that of the hash algorithm output; MD5: 32 chars, SHA1: 40 chars, SHA256: 64 chars.
Hash Masking with length* preserving replacement (applies to: md5, sha1 and sha256):
- Replace Expression:
`${g1}${C.Mask.md5(g2, g2)}` - Result:
cardNumber= d65a3ddb27493f5*Replacement length will not exceed that of the hash algorithm output; MD5: 32 chars, SHA1: 40 chars, SHA256: 64 chars.