Tackling Data Theft with Format-Preserving Encryption

It’s a jungle out there in cyberspace. Businesses have been targeted by an increasing number of sophisticated attacks focused on either stealing intellectual property, personal information, data or extorting money through ransomware. Organizations must have comprehensive security strategies in place to defend against these many threats and a key part of this strategy is strong data encryption.


Standards are a crucial guide to the implementation of genuinely secure data encryption.  The National Institute of Standards and Technology (NIST) recently released an important new standard that defines an important new method for encrypting sensitive data — NIST Special Publication 800-38G,“Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption.”

The standard makes encryption easier and allows data encryption to be embedded at the application layer by defining two modes for format-preserving encryption (FPE), FF1 and FF3, which use the AES encryption algorithm. This standard is something we contributed to when HPE Security worked with NIST researchers to make sure that FPE was mathematically, provably secure.

FPE transforms strings of digits, such as credit card and Social Security numbers, so that they are indecipherable to hackers. However, unlike traditional encryption modes, FPE allows architects to choose specific properties of the original data that are retained in the encrypted form.  There are three main characteristics that can be retained in the data that are used to make the encrypted data useable in many applications without requiring decryption (and hence potential exposure of plaintext):

  • Format – the encrypted data can retain the length and character set of the original data. A 16 digit credit card can be encrypted into a 16 digit decimal value.
  • Subfields – subsets of the data item can be kept in the clear, allowing applications to use this data without decryption. As an example, the last four digits of a credit card might be retained, allowing a customer service application to use the data without decryption.
  • Referential integrity – data can be encrypted so that the same data item, encrypted twice, will result in the same ciphertext. This allows analytic applications that are using sensitive data for database keys or doing item counts can directly use the encrypted data item.

FPE allows organizations to encrypt information while minimizing changes to existing code and business processes. Some applications can only manage data in a specific format and although modifications can be made in most cases, it can be very expensive to do so.   By using FPE, many of those applications can run with encrypted versions of sensitive data items, or can do so with minor changes as opposed to dramatic changes to the system architecture.

FPE solves data security problems faced by many sectors such as healthcare, which has been struggling to create a national patient identifier. The standard allows health care providers, such as hospitals and clinics, to securely share and match patient records. In other applications, FPE could help anonymize personal data such as credit or banking information.

By randomizing data with strong encryption, data theft attacks will become less interesting to hackers because the information will have no value to them. The added security provided by FPE also supports the Cybersecurity Act of 2015, which is intended to help businesses analyze their cyber risk by focusing on better security and encryption standards.

By using FPE, industries such as the health care, financial, retail, and U.S. federal and other government agencies can protect themselves from the wave of ongoing attacks targeting valuable customer and patient data. Protecting data makes valuable company and customer information less attractive for attacks and helps reduce an organization’s threat profile. Attackers hate scouring a network only to find the crown jewels in a format they can’t read – and that’s our job, to make them hate theirs!

Learn more about HPE Format-Preserving Encryption (FPE), protecting sensitive data at-rest, in-motion and in-use while preserving the data formats.

Leave a Reply

Your email address will not be published. Required fields are marked *