Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Format Preserving Encryption

FPE/AES

search

Please Note:

FPE/AES

This algorithm supports following cardinalities for different types of data.

  • CARD10 for digits in range 0 - 9

  • CARD26 for lower case alphabets (a-z)

  • CARD62 for digits (0 - 9), lower case alphabets (a - z), and upper case alphabets (A - Z)

  • UNICODE (only UTF-8 encoding) to support various languages. The file containing the Unicode character set should be greater than 10 and less than 256 characters. The number of characters provided in the character set file will be treated as cardinality for the input data. If the input data to be encrypted contains characters other than the ones available in the character set, those characters are retained as it is after encryption/decryption.

The location of this file is passed in the NAE session when performing encryption for the data derived from such character set as shown below.

    session.readSupportedCharacters("C:\\unicode\\FPE_charset.txt");

The steps to encrypt/decrypt data using FPE/AES algorithm is provided in the FPEEncryptionDecryptionSample.java sample. The sample is available on Github.

Important notes

  • The characters in the Unicode character set should be separated by a newline character and should not be repeated or have space characters.

  • The bulk operation is not supported with FPE/AES/UNICODE.

  • Only CARD10 is supported in both local and remote mode. Other cardinalities are supported in the local mode only.

  • On performing crypto operations with FPE/AES in local mode, the characters in the input data other than those specified by the cardinality are preserved and do not get encrypted. In remote mode, crypto operations with such input data will throw invalid data chunk error.

  • If any character other than those specified by the cardinality are present in the input data, you must calculate the effective input data length and provide IV accordingly.

  • When using CARD62, if input data is alphanumeric, the output data can be a set of characters from cardinality set of CARD62. For example, if input data is ABC123, then output data can be X2Py56.

  • FPE/AES(CARD10, CARD26, and CARD62) requires minimum two bytes to perform encryption. FPE/AES/Unicode requires minimum four characters to perform encryption.

  • The Unicode character set file cannot be updated at the run time during an NAE session, that is, the file cannot be dynamic in nature during the active NAE session. For example, if a user has encrypted some data using a particular file, then, at the time of decryption, same file must be used with no modification of data and UTF encoding.

On this page