Format Preserving Encryption and NIST 800-38G.  What You Need to Know.

03 Nov

Format Preserving Encryption and NIST 800-38G.  What You Need to Know.

In April (2017) a cryptanalytic attack was discovered on the FF3 method for Format Preserving Encryption (FPE) by NIST (National Institute of Standards and Technology). As a result, FF3 was declared no longer suitable as a general purpose FPE method. Since FF3 is utilized by organizations worldwide, cybersecurity teams are forced to look for alternative data security platforms to secure their sensitive data. The FF3 method of FPE is creating risk and potential non-compliance issues, but that has not always been the case. So what is FPE? What is NIST doing to make the technology safe and secure again? Most importantly are there other FPE methods that NIST is no longer recognizing as cryptographically secure? Why are they facing such a high level of scrutiny now?

FPE: What Is It? Who Uses it? and Who Are The Vendors That Provide It?

In cryptography, FPE refers to encrypting data in such a way that the output (the ciphertext) is in the same format as the input (the plaintext). FPE is mostly used in on-premise encryption and tokenization solutions. It is used to protect sensitive data sets such as payment card data, SSNs, and country identifiers that are commonly used and stored in retail, healthcare, and financial databases and applications. Some of the vendors who provide FPE are Voltage and Protegrity (on-premise solutions); Verifone and Ingenico (device-based solutions); and Thales and Safenet (appliance-based solutions).

What is Happening With the FPE Methods?

The special publication NIST 800-38G addresses FPE from a technical perspective: “This recommendation specifies 3 methods for format preserving encryption, called FF1, FF2, and FF3. Each of these methods is a mode of operation of the AES algorithm, which is used to construct a round function within the Feistel structure for encryption.” In plainspeak, the publication focuses on the methods used for FPE. With FFX, FF2 did not make it to the publication, and FF3 was found to be no longer suitable as a FPE method. FF1 is still sound like FF2, but there is a major concern for longevity. FF2 and FF3 derivations have been submitted for reconsideration, but the likelihood of success with these methods is very low. Considering the work TokenEx has done in the FPE space on our own, designing a usable method for FPE given the use case, primarily payment cards, it is going to be challenging. With the payment card data use case, there is simply not enough entropy to create a secure output that cannot be reverse engineered.

Why is This Concerning for the FPE Market?

The FPE market appears to be losing stability because two of the three FFX methods used for FPE are not considered to be cryptographically secure. FF1 is the only standing method, and it is under intense scrutiny due to the success researchers have had in breaking down other FPE methods. Additionally, organizations that are producing FPE solutions leveraging FF2 and FF3 methods are struggling to validate their solutions with NIST 800-38G which will prove to be challenging. There only remains one patented method that can be used, limiting competition and increasing pricing. The challenge in this scenario is that we are not certain FF1 will make it through additional scrutiny.

Risks and Implications for Organizations

Basically, organizations using solutions that leverage FF2 & FF3 methods for FPE need to address the shortcomings of these methods with their providers. As noted above, the FF2 & FF3 methods are not considered to be “suitable” for FPE which presents a challenge and a perception issue for securing data appropriately achieving PCI compliance. In industries not concerned with PCI data, even though compliance with any one specific regulation may not be impacted, the overall security of the organization is more at risk. Other data sets outside of payment card data like Personally Identifiable Information (PII), Non-Public Information (NPI), or HIPAA data are equally as risky to store using FPE FFX methods that have been invalidated as they present the same type of breach exposure with legal and financial impact.

Next Steps for Organizations Currently Using FPE Technologies

If you are using FPE to secure data, identify which methods are being used for the solution. Question these vendors about what is being done on their part to remedy the use of insecure FPE methods to ensure your organization is neither out of compliance or out the money you paid for the solution—either of which will have significant impact on your organization. If your vendor is simply waiting in the ranks for NIST to validate the methods that have been re-submitted without additional plans to ensure the solution they’ve sold your organization, it’s time to start looking elsewhere. There should be an active or pending product update for ensuring the FPE-based solution will leverage a fully functioning, suitable, and adequate FPE method for securing data within your environment. Otherwise, you are probably owed a full refund for the insecure solution.

How TokenEx is Different

TokenEx does not use current FPE methods, so the risks of an on-premise solution are not present in our cloud platform. Take advantage of the availability of our strong integration and transition teams to assist your organization in moving away from unsecure FPE solutions to cloud tokenization and data vaulting. Some internal things to ponder in your transition. Cloud security platforms remove data from client’s IT environment, eliminating unnecessary data storage of sensitive data of all types that present risk and compliance challenges.

TokenEx is the industry leader for enterprise cloud tokenization. For more information on how TokenEx can assist with your encryption and tokenization transition, please email Follow us on Twitter and LinkedIn.