PII enrichment MD5 / SHA-1 salt values required for Redshift compatibility?

robkingston · July 16, 2018, 4:00am

Hi guys,

Just validating my config against the new schema for pii_enrichment_config/2-0-0 and noticed that salt is required under pseudonymize.

What salt was used before this option was added in R106?
What value should we use here to ensure it matches the output of Redshift’s MD5 and FUNC_SHA1 functions?

Cheers,
Rob

robkingston · July 16, 2018, 5:51am

Alright, did some reading up on hashing and it looks like I may have answered my own question (please correct me if I’ve misunderstood).

Tl;dr:

Looks like no salt prior to R106
Just pass an empty string to the enrichment to designate no salt being passed into the function

Using salt with cryptographic hash functions just adds to the functions’ input, so we just have to add the salt onto the end of the plain text. Below, we can apply our salt “test” to our plaintext input of “hello”:

select 
  md5('hellotest') as md5_salt_test, 
  md5('hello') as md5_no_salt;

md5_salt_test	md5_no_salt
200f9319fc232a9254b275f0dcaad797	5d41402abc4b2a76b9719d911017c592

There doesn’t seem to be any standard method to applying salt so you have to make sure it matches where you will be using it elsewhere (e.g. hashing old data in SQL Runner). Judging from the enrichment source code, we simply have to append the salt to the string in Redshift to match the salt in Enrichment:

github.com

snowplow/snowplow/blob/release/r107/3-enrich/scala-common-enrich/src/main/scala/com.snowplowanalytics.snowplow.enrich/common/enrichments/registry/pii/PiiPseudonymizerEnrichment.scala#L146




/**
* Implements a pseudonymization strategy using any algorithm known to DigestFunction
* @param functionName string representation of the function
* @param hashFunction the DigestFunction to apply
* @param salt salt added to the plain string before hashing
*/
final case class PiiStrategyPseudonymize(functionName: String, hashFunction: DigestFunction, salt: String)
   extends PiiStrategy {
 val TextEncoding                                 = "UTF-8"
 override def scramble(clearText: String): String = hash(clearText + salt)
 def hash(text: String): String                   = hashFunction(text.getBytes(TextEncoding))
}


/**
* The PiiPseudonymizerEnrichment runs after all other enrichments to find fields that are configured as PII (personally
* identifiable information) and apply some anonymization (currently only pseudonymization) on them. Currently a single
* strategy for all the fields is supported due to the configuration format, and there is only one implemented strategy,
* however the enrichment supports a strategy per field.
*
* The user may specify two types of fields in the config `pojo` or `json`. A `pojo` field is effectively a scalar field in the

knservis · July 16, 2018, 7:10am

Hey @robkingston,

that is correct.

If you want to read the background on adding salt, you can read the relevant issue here: https://github.com/snowplow/snowplow/issues/3648

As well as the wiki on this enrichment: https://github.com/snowplow/snowplow/wiki/PII-pseudonymization-enrichment

robkingston · July 16, 2018, 8:17am

Thanks @knservis - did a bit of reading up on that thread this afternoon.

Topic		Replies	Views
Retrieve User_ids encrypted by enrichment Enrichment	4	1867	September 28, 2018
GDPR - PII configuration in the batch pipeline Enrichment	3	1234	January 31, 2019
Issue to encryption PII data of form submit	2	744	August 9, 2022
Snowplow R100 Epidaurus released with PII pseudonymization support New releases	13	2714	March 31, 2018
Build a lookup table for hashed IP Enrichment	1	1038	June 29, 2021

PII enrichment MD5 / SHA-1 salt values required for Redshift compatibility?

Related topics