Thursday, April 5, 2012

Format Preserving Encryption and its applications

As we all know, when we encrypt a 16 digit credit card number using AES, it gives a random block of bytes (depending on the block size utilized). Wouldn't it be cool if we can get another random 16 digit number when you encrypt a credit card number and still be safe? That's where format preserving encryption (FPE) [1,2,3] comes in. Apart from the "coolness" there are many practical advantages of such encryption:

1. It can provide a simpler migration when encryption is applied to legacy systems/databases:
- Since it's the same format, you don't need to change the database schema (type, size, etc.)
- If these data are transported, no change required to the transport layer

2. It may not even be possible to encrypt if it does not preserve the format and deterministic.
- Take for example, a primary or foreign key field


I am not sure how secure these FPE constructs are compared to classical symmetric key encryption. However, I think there will be more interest on this subject with the increase utilization of cloud computing.


[1] H. E. Smith and M. Brightwell. Using Datatype-Preserving Encryption to Enhance Data Warehouse Security. NIST 20th National Information Systems Security Conference, pp.141, 1997.
[2] J. Black and P. Rogaway. Ciphers with Arbitrary Finite Domains. RSA Data Security Conference, Cryptographer's Track (RSA CT '02), Lecture Notes in Computer Science, vol. 2271, pp. 114-130, Springer, 2002.
[3] T. Spies. Feistel finite set encryption mode. Manuscript, posted on NIST’s website on February 6, 2008. Available
at http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffsem/ffsem-spec.pdf

3 comments:

Mark Bower said...

Nice post Nabeel!

If you are interested in the strength if FPE, Phil Rogaway's work on the topic is useful - including the security proofs of the underlying Feistel structures:

http://www.cs.ucdavis.edu/~rogaway/papers/feistel.pdf

and the FPE methods themselves:
http://eprint.iacr.org/2009/251.pdf

If you're interested in the practice of FPE in industry, we have many implementations now - I just did a webinar on the topic showing commercial applications:

http://www.voltage.com/solutions/technology/end-to-end-encryption/120320-datacentric-security.htm

I hope to see more posts on the topic.

Best Regards
Mark Bower
VP Products - Voltage Security

Jenice said...

Encryption technique is definitely a promising solution to save information from unauthorized access. I would love to know more about this security technique and will keep visiting your blog.
digital signature PDF

Blogger said...

Bluehost is definitely one of the best website hosting provider with plans for any hosting requirements.