Format Preserving Encryption
The Format Preserving Encryption (FPE) algorithm allows the user to perform crypto operations on data while preserving the format of the input data.
Important Notes
Before using the FPE feature, the user must be aware of the following:
If any outside cardinality characters are present in the input data then the user must calculate effective input data length and provide IV accordingly.
FPE requires minimum two bytes/characters to perform encryption.
The Format Preserving Encryption (FPE) algorithm allows the user to perform crypto operations on data while preserving the format of the input data.
The algorithm supports CARD10 for digits in the range 0 - 9, whereas for CARD26 the range is a - z.
Note
• FPE can support input data of size up to 3500 bytes. (in remote mode)
• FPE supports only non-versioned AES Keys.
How it Works
While using FPE (only CARD10 supported) the sequence of operations performed internally is as follows:
The cardinality is retrieved
The algorithm is retrieved (Currently, only AES is supported)
XML request is sent for Crypto operation
For XML request, the CipherTrust Manager:
Translates the input data into s-integers
Performs FPE Crypto operation in s-integers
Translates s-integers ciphertext to cardinality set
For more information on Crypto operations, refer to NaeFpe.
Use Cases
Use case 1
Data element: Identification Numbers and Sensitive Authentication Data
Cardinality set: [0 to 9]
Algorithm: FPE/AES/CARD10
Maxb = 56
Actual Input Data | Input Data to Crypto API | IV Required | Output | Remarks |
---|---|---|---|---|
1122 | 1122 | no | 7394 | CADP for .NET Core performs CARD10 encryption as single data (datasize =4 characters). |
2323-3434-5656-3434 | 2323-3434-5656-3434 | no | 4527-8628-7902-7942 | CADP for .NET Core preserves ('-') as special characters. CADP for .NET Core performs CARD10 encryption as single data with '-' removed (datasize =16 characters). |
555-50-1234 | 555-50-1234 | no | 687-23-6272 | CADP for .NET Core preserves ('-') as special characters. CADP for .NET Core performs CARD10 encryption as single data with '-' removed (datasize =9 characters). |
Use case 2
Data element: Name
Cardinality set: a to z
Algorithm: FPE/AES/CARD26
Maxb = 40
Actual Input Data | Input Data to Crypto API | IV Required | Output | Remarks |
---|---|---|---|---|
“John Smith” | “john smith” | no | "kesv wqfkn" | User performs uppercase to all lower case conversion. CADP for .NET Core is preserving (space) as special character. CADP for .NET Core is performing CARD26 encryption as single data(lowercase) with space removed (datasize = 9 characters). |
"Mrs. ANNA TERESA" | "mrs. Anna teresa" | no | "pth. whts bgftds" | User performs uppercase to all lower case conversion. CADP for .NET Core is preserving (space and '.') as outside cardinality character. CADP for .NET Core is performing CARD26 encryption as single data(lowercase) with space removed (datasize = 13 characters). |
"Mrs. ANNA BERTHA CECILIA DIANA EMILY FANNY QUINCEREBECCA SARAH TERESA" | "mrs. anna bertha cecilia diana emily fanny quincerebecca sarah teresa" | yes | "gkh. stet fnrsps lspjqka amgtq ftnso liseq eudnze-skypeqv ewqlg ybdnlh" | User performs uppercase to all lower case conversion. CADP for .NET Core is preserving (space, '.' and '-’) as outside cardinality character. CADP for .NET Core performing CARD26 encryption as single data (lowercase) with space removed (datasize = 59 characters). IV of 40 bytes required. |