How not to implement format-preserving encryption

There are lots of good reasons to be interested in format-preserving encryption. Most of them involve getting encryption to work in IT environments that have lots of older technologies in them. Lots of these don't handle encrypted data gracefully, and you never quite know which part of your IT environment will choke on even a slight change in data format until you try it.

But if you're going to use FPE, it's probably best to just use either a shipping product that implements this for you or to use someone else's encryption toolkit that does this. It's probably not a good idea to implement it yourself.

But that's just what one of our competitors is recommending. Here's what they said on their web site when someone asked about for FPE. (I've tried to make this anonymous, because I know that this vendor is actually very careful about security, and that this questionable advice probably doesn't really reflect the company's point of view.)

What you could try is:

  • Re-format your plain text from the restricted key space format to binary format plain text.
  • AES encrypt the binary format plain text to produce binary format cipher text.
  • Re-format your cipher text from binary format cipher text to resticted key space format cipher text.

where "restricted key space format" is the restrictions placed on the text based on the format you are trying to preserve. For instance, if your plain text was only ASCII numbers '0' to '9', before encrypting the numbers, you would need to convert the number to the range 0x00 to 0xFF.

Unless you really know what you're doing, following that advice is very likely to lead to an approach that isn't as secure as you think it is. The way that Voltage does FPE uses a technique that's provably secure. Our approach and the proof that it's secure is actually due to Phil Rogaway, which is about as good as you can get when it comes to symmetric encryption. Other approaches may not be as sound.

(As an aside, I actually have seen fairly non-technical QSAs arguing with Phil over this on various Internet forums. It's sort of like seeing an undergraduate English major telling Einstein that his theory of general relativity is totally wrong. But that's probably getting too far off topic. ) 

In any event, it's still true that creating your own cryptographic algorithms is probably not a good idea. It's easy enough to buy products or to license a toolkit that will do FPE in a secure way. That's probably a much better approach than trying to do it yourself.

Leave a Reply

Your email address will not be published. Required fields are marked *