Confidentiality Services

Confidentiality is the security service that prevents sensitive data from being disclosed to unauthorized entities while in transit or at rest. There are different mechanisms for providing confidentiality services such as access control, encryption, and security protocols.

For confidentiality of data in transit, communications to and from Simphony and between POS clients at the same property use HTTPS with TLS v1.2 configured with Oracle-approved cipher suites.

Simphony cloud services does not process, or handle credit card protected information since version 19.1. For of any other sensitive data generated at POS devices, Simphony cloud service provides an end-to-end encryption that ensures that only the designated Cloud Simphony server can decrypt protected data.

For the end-to-end protection scheme, Simphony generates a pair of RSA 2048-bit keys per POS client and sends the public key through a secure channel to each POS client. The private half remains in possession of the designated Simphony server. When sensitive information is generated at POS clients, they:

1. Randomly generate an AES256 data encryption key (DEK) and uses it to encrypt the sensitive data.
2. Encrypt the DEK with the RSA public key and removes the unencrypted DEK from memory.
3. Send the encrypted data along with the encrypted DEK to the designated Simphony server.

The Simphony server fetches the corresponding RSA private key, decrypts the DEK and then decrypts the sensitive data.

Simphony cloud services also protect sensitive data at rest when stored in databases by using a double AES256 encryption mechanism. Unique AES256 keys protect sensitive information and a separate master AES256 key encryption key (KEK) encrypts each DEK. The encrypted sensitive data and the encrypted DEK persist together in the database. Only the designated Simphony server with access to the master KEK can decrypt this information.

Simphony protects user passwords through PBKDF2 with SHA256, 32-bit salts, and 100K iterations.