diff options
| author | Tyler Davis <tyler@gluecode.com> | 2023-12-15 21:22:30 +0000 |
|---|---|---|
| committer | Tyler Davis <tyler@gluecode.com> | 2023-12-15 21:22:30 +0000 |
| commit | 493c903ef2c21b6084efb830cee2d9793f0c7861 (patch) | |
| tree | 97ef33f19067562e1c1babbfed93188de3d58922 | |
| download | fortknox-493c903ef2c21b6084efb830cee2d9793f0c7861.tar.gz fortknox-493c903ef2c21b6084efb830cee2d9793f0c7861.zip | |
Readme first pass
| -rw-r--r-- | README.md | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..45408ab --- /dev/null +++ b/README.md @@ -0,0 +1,46 @@ +# FortKnox Data Protection Service (FK) + +Provides at least three core systems: + +- Central library which performs tokenization / redemption +- Self-hosted HTTP+JSON endpoint for Tokenization / Redemption +- (Optional) SQL proxy mode. + SQL statements containing `TOKENIZE(…)` and `REDEEM(…)` will make the application strip out the values, perform the exchange on-server, and then pass upstream to SQL datastore containing only the replaced values (only tokenized data goes to/from the sql datastore). + +## Requirements + +- Rust 1.74+ +- git + +## Notes + +- System should be self-contained / self-hosting. + Extra "parts" should be separable and/or unnecessary for normal functioning up to a certain limit. +- Must leverage a sqlite datastore by default. +- Connect to PostgreSQL, Oracle, or other provdiers via ODBC connector (?) + +## Limitations + +If operating with a remote database, FK must not try to operate in a peering / cluster mode. + +### Namespace limits + +NOTE: look at UUIDv5 methods, but *do not* use them as UUIDv5 leverages deterministic hashing to produce tokens. + +UUIDv4 (Version 4 - Variant 1) has 6 bits reserved for identification and encoding purposes, so the maximum number UUIDv4 values is 2^122 or 5.3169119831e36. +( RFC 4122 Section 4.4 - https://datatracker.ietf.org/doc/html/rfc4122#section-4.4 ) +Reserved bits are 6-7, 12-15. +Representation of these UUIDs (before base64-url-safe encoding) in bytes is grouped as `8-4-4-4-12`. + +Proposed: 16-bit identifier for locations which need to avoid collisions but also need to identify the source location. +Assuming P is an identifier bit, and explicit numbers are reserved bits, the bit-specific structure would be as follows: + + 0 1 1 2 2 3 + 0 7 8 5 6 4 5 2 + ----------------------------------- + 000-032 XXXXX01X XXX0100X XXXXXXXX XXXXXXXX + 033-064 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + 065-096 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + 097-128 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + + |