 Hi. Hello. Good morning. In this presentation, I will talk about data encryption and data masking techniques. Hey, this is Trivikram. I'm a CTO at Dusra. So, as end of the session, we'll talk about what we are going to do at Dusra, what we do as a company. Data encryption techniques that we follow at Dusra on data masking techniques. Finally, we'll list the differences between encryption and masking. When to choose data encryption and when to choose data masking. Well, what is Dusra? Dusra fight against telephony spam. We offer virtual mobile number without the need of a SIM card. It can be activated from Dusra application. This virtual mobile number can be shared at malls, restaurants, delivery application and shopping complexes. Daily, we receive about 50,000 SMS. If you directly store the messages in the plain text format, there are two limitations. Developers can directly read the content of the messages. Due to some reasons, if the data is compromised, attacker can gain the access to the end customer messages. To mitigate these two things, we are encrypting the data. So, the flow is as follows. Once someone sends the SMS to one of the virtual mobile members, the message is being sent to crypto servers or Dusra servers in plain text format, which is again wrapped in Https protocol. Behind the scenes crypto servers uses different kinds of keys and encrypt the data. Encrypted data is stored in SMS databases. As I said, crypto server uses two different keys. One user key, second one master key. At the time of sign up for each user, we will generate one key, one unique key that's called user key. And that user key is stored in user keys database. And for the entire application, we will maintain one master key. That master key is stored in AWS param store, which is AWS managed service. So, once message is reached to crypto servers, first the message is encrypted using user key. The encrypted content of the message is again encrypted with the master key. Basically, we are following two level or multi level encryption, which is being used to maintain the or enhance the additional security or additional encryption policies. So, let me tell you how do we mask the data and when do we mask the data? Generally, for each request and response, we store it in audit locks databases. The fundamental reason behind this, there are majorly two reasons behind this. The first reason, whenever customer reaches to our customer supporting, we will check the audit locks or we'll look at the history of the user. That's one reason we stored the response locks in the audit locks databases. The second reason, at any point of time, we want to understand about the matrix of the system. That is, let's say today, how many requests are hitting the servers? What is the average latency? All these different kind of metrics we can derive from audit locks database. This is the fundamental reason we stored the data. If you directly store the response in the audit locks databases, again, one can read the content of the messages. So, before storing into the audit locks, we will mask the data. So, let me walk you through the following code. This is a Node.js pseudo code. Let me explain about the functionality of this code. Get SMS. This will take two parameters, the request object and response object. From the request object, we'll retrieve the mobile number. In this case, I'm using query parameters, but in general, it can be query or body depending on the API implementations. Once you have the mobile number, hit the database and get the list of all the messages and store in SMS list. Mask the data and save it in the audit locks database. However, when you're sending the response as part of the API response, send unmasked data. SMS list is unmasked data. Masked data is, masked content is being stored in masked data. So, let me explain about mask data function, which will take SMS list as input, clone the SMS list and store it in a different attribute, mask list, iterate each SMS and mask the sensitive data with some starts. The fundamental reason why are we cloning the data or why are we cloning the attribute is generally NodeJs follows call by reference, especially for arrays and JSON objects. Call by reference in the sense, if you change some attributes that will automatically reflected in the other places. So, if you don't clone this SMS list and directly mask the data, at the time of sending the response to the end user, we are essentially sending the masked content. We don't want to, we don't want to do that. That is the reason, at the time of storing audit locks, we are masking the data. However, at the time of sending the response to the end user, we are sending unmasked data. This is a high level overview about how do we do masking. Let me finally list down the differences between data encryption and data masking. When to choose data encryption and when to choose data masking. If you observe carefully, we went through two different examples. The first example data encryption. In the case of first example, we are storing the content of the SMS in SMS database. The second example, we are storing the data in audit locks database. The first one is a permanent database. SMS data store is permanent database. However, this analytics database is a temporary database, which means after a week or so will pass the data. So it is considered as temporary database. So for the temporary database, it's preferred to choose data masking for the permanent databases. Generally, we'll go with the encryption techniques. Data set for a encryption database is independent. So if you go back and check the example, SMS database is independent data set. It is not dependent on any other data sets. However, analytics database is purely dependent on SMS database. Even if the data is lost, still we can recover because it's a dependent data set. Always we can take the data from SMS database and again we can mask the data. So in the case of data masking, the data sets are always dependent on something else. Encryption functions are reversible functions, which means if you encrypt the data using some techniques, it's always possible to revert it back. However, data masking techniques, once you encrypt the data, or once you mask the data, it's not possible to revert it back. Generally encryption algorithms are harder to implement. Again, it depends on the chosen algorithm. If you choose RSA, DES or AES, bit harder to implement. However, data masking techniques quite trivial. All you have to do is take the sensitive data and replace that with some starts or special characters. In the case of encryption, execution speed is bit less because AES or DES, it will take multiple iterations to encrypt the content of the SMS or content of the data. In the case of data masking, it's quite instant. Depending on your need, you have to choose between encryption or data masking techniques. It's purely depending on the use cases. So we'll end the presentation here. If you have any questions, feel free to drop me an email at www.3victim.gov. or connect me at my LinkedIn profile. Thanks for watching this video.