Format Preserving Encryption
The Format Preserving Encryption (FPE) algorithm allows the user to perform encryption on data while preserving the format of the input data.
Important Notes
Before using the FPE feature, the user must be aware of the following:
If any outside cardinality characters are present in the input data then the user must calculate effective input data length and provide IV accordingly.
If user has mixed cardinality in any particular data, then user must tokenize the data for each cardinality, and provide respective data chunk for each cardinality separately.
FPE requires minimum two bytes/characters to perform encryption and minimum four bytes in case of Unicode.
The Unicode charset cannot be updated at the run time; that is, the charset range is provided while initializing the library in the sample. For example, if a user has encrypted some data using a particular charset range then at the time of decryption same charset range should be used with no addition or modification of data.
For Hebrew or Arabic, it is recommended that the entire charset range should be based on one language. Otherwise, the decrypted text may not meet plaintext.
The Unicode Charset Range can be provided as "0700-074F,0000-007F,0590-05FF,00C00".
For Unicode, the minimum charset count must be two bytes/characters.
While using FPE/AES/UNICODE algorithm, the value of RADIX specified by user is equal to the character count in the provided Charset.
Supported encodings are Unicode UTF-8, Unicode UTF-16LE, Unicode UTF-16BE, and Unicode UTF-32LE in the local mode only for FPE/AES, FPE/FF1v2, and FPE/FF3 algorithms.
The Format Preserving Encryption (FPE) algorithm allows the user to perform crypto operations on data while preserving the format of the input data.
The algorithm supports CARD10 for digits in the range 0 - 9, whereas for CARD26 the range is a - z.
Note
FPE can support input data of size up to 3500 bytes. (in remote mode)
FPE Algorithms
FPE/AES
The algorithm supports different cardinalities for different kind of data.
CARD10 for digits in range (0 - 9).
CARD26 for lower case alphabets (a-z).
CARD62 for digits (0 - 9), lower case alphabets (a - z), and upper case alphabets (A - Z).
UNICODE to support various languages (characters supported are provided in the charset range). The charset range should be less than 65535 characters. There is no unicode file support in this algorithm.
The charset range is passed in the NaeFpe object creation in the samples when performing encryption for the data derived from such character set. The number of characters provided in the charset range will be treated as cardinality for the input data. If the input data to be encrypted contains characters other than the ones available in the character set than it is retained as it is after encryption/decryption.
Only CARD10 is supported in both local and remote mode, the other cardinalities are supported in local mode only.
On performing Crypto operations with FPE/AES in local Mode, the characters —in the input data— other than those specified by the cardinality, remains preserved and do not get encrypted. In remote mode, crypto operations with such input data will throw invalid data chunk error.
FPE/FF1v2
Before using the FPE/FF1v2 feature, the user must be aware of the following:
The FPE/FF1v2 requires minimum two characters to perform encryption. The maximum data length can be 128000 characters.
If tweak algorithm is None, the tweak data is optional. If tweak data is provided, the value must be in HEX encoded string format.
If tweak algorithm is SHA1, SHA256, the tweak data is mandatory.
This algorithm supports different cardinalities for different types of data.
CARD10 for digits in range (0 - 9).
CARD26 for lower case alphabets (a-z).
CARD62 for digits (0 - 9), lower case alphabets (a - z), and upper case alphabets (A - Z).
UNICODE to support various languages. The maximum supported cardinality size is 65536.
Note
The FPE/FF1v2 algorithms are supported in the local mode only.
FPE/FF3
Before using FPE/FF3 feature, the user must be aware of the following:
The FPE/FF3 requires a minimum of two characters to perform encryption. The maximum data length can be 128000 characters.
If tweak algorithm is None, the tweak data length should be 16 characters HEX encoded string.
For tweak algorithms SHA1 and SHA256, the tweak data length should be ≤ 256 characters.
This algorithm supports different cardinalities for different types of data.
CARD10 for digits in range 0 - 9
CARD26 for lower case alphabets (a-z).
CARD62 for digits (0 - 9), lower case alphabets (a - z), and upper case alphabets (A - Z)
UNICODE to support various languages. The maximum supported cardinality size is 65535.
On performing crypto operations with FPE/FF3, the characters—in the input data— other than those specified by the cardinality, remains preserved and do not get encrypted.
Note
The FPE/FF3 algorithms are supported in the local mode only.
FPE/FF3-1
Before using FPE/FF3-1 feature, the user must be aware of the following:
FPE/FF3-1 requires minimum two characters to perform encryption. The maximum data length can be 128000 characters.
For FPE/FF3-1, if tweak algorithm is None, the tweak data length should be 14 characters HEX encoded string.
For tweak algorithms SHA1 and SHA256, the tweak data length should be ≤ 256 characters.
On performing crypto operations with FPE/FF3-1, the characters in the input data other than those specified by the cardinality, remains preserved and do not get encrypted.
FPE/FF3-1 supports the following cardinalities for different types of data.
CARD10 for digits in range 0 - 9.
CARD26 for lower case alphabets (a-z).
CARD62 for digits (0 - 9), lower case alphabets (a - z), and upper case alphabets (A - Z).
UNICODE (only UTF-8 encoding) to support various languages. The maximum supported cardinality size is 65535.
Note
Only FPE/FF3-1/CARD10 algorithm is supported in the remote mode. The remaining FPE/FF3-1 algorithms are supported in local mode only.
Modes of FPE Version Key
You can pass any of the following key version header modes in the FPE samples:
Internal header support - The key version header is in HEX format and saved in the first 3 bytes of the ciphertext. At the time of decryption, the version information is calculated from the first 3 bytes of the encrypted data and the decryption operation is performed on the remaining data.
Example
Input Data: abcxyz_123_ABC Input Data(HEX): 61-62-63-78-79-7A-5F-31-32-33-5F-41-42-43 Encrypted Data(HEX): 10-00-60-30-7A-34-61-76-33-5F-46-70-31-5F-75-78-56 Decrypted Data(HEX): 61-62-63-78-79-7A-5F-31-32-33-5F-41-42-43 Decrypted 14 bytes: abcxyz_123_ABCExternal header support- You can get the version header information using
byte[] header = ((NaeFpe)key).GetExternalHeader()API after encryption. Similarly, at the time of decryption, the((NaeFpe)key).SetExternalHeader(header)API is called to calculate the the version information and decryption operation is performed on the remaining data.Example
Input Data: abcxyz_123_ABC Input Data(HEX): 61-62-63-78-79-7A-5F-31-32-33-5F-41-42-43 Encrypted Data(HEX): 30-7A-34-61-76-33-5F-46-70-31-5F-75-78-56 Header Data(HEX): 10-00-60 Decrypted Data(HEX): 61-62-63-78-79-7A-5F-31-32-33-5F-41-42-43 Decrypted 14 bytes: abcxyz_123_ABC
Use Cases
Use case 1
Data element: Identification Numbers and Sensitive Authentication Data
Cardinality set: [0 to 9]
Algorithm: FPE/AES/CARD10
Maxb = 56
| Actual Input Data | Input Data to Crypto API | IV Required | Output | Remarks |
|---|---|---|---|---|
| 1122 | 1122 | no | 7394 | CADP for .NET Core performs CARD10 encryption as single data (datasize =4 characters). |
| 2323-3434-5656-3434 | 2323-3434-5656-3434 | no | 4527-8628-7902-7942 | CADP for .NET Core preserves ('-') as special characters. CADP for .NET Core performs CARD10 encryption as single data with '-' removed (datasize =16 characters). |
| 555-50-1234 | 555-50-1234 | no | 687-23-6272 | CADP for .NET Core preserves ('-') as special characters. CADP for .NET Core performs CARD10 encryption as single data with '-' removed (datasize =9 characters). |
Use case 2
Data element: Sensitive Authentication Data and Address Information
Cardinality set: (0 to 9, a to z, A to Z)
Algorithm: FPE/AES/CARD62
Maxb = 32
| Actual Input Data | Input Data to Crypto API | IV Required | Output | Remarks |
|---|---|---|---|---|
| "3412 25D9 dAB5 394D" | "3412 25D9 dAB5 394D" | no | "A3n4 25fD 8DEl leDF" | CADP for .NET Core is preserving as special character. CADP for .NET Core is performing FPE encryption as single data with removed (datasize = 16 characters). |
| "John Alexander Diaz HQ USAREUR & 7A CMR 420 Box 676 APO AE 09063" | "John Alexander Diaz HQ USAREUR & 7A CMR 420 Box 676 APO AE 09063" | yes | "12dF 376lAr3fE9sS2k3 73DW0FT & vQ90s 1mK6cC 2JRAq3 23 1lR0RT" | CADP for .NET Core is preserving all special characters. CADP for .NET Core is performing FPE encryption as single data with special characters removed datasize>maxb(32) IV required. |
| "oasis_tan_1941 @gmail.com" | "oasis_tan_1941 @gmail.com" | no | "A2dr_er4_LSK4@a35dS.29k" | CADP for .NET Core is preserving all special characters. CADP for .NET Core is performing FPE encryption as single data with special characters removed output may fail as email validation. |
Use case 3
Data element: Latin Extended-A
Cardinality set: Special characters using charset as “0100-017F”
Algorithm: FPE/AES/UNICODE
Maxb = 26
| Actual Input Data | Input Data to Crypto API | IV Required | Output | Remarks |
|---|---|---|---|---|
| ĀaĂċ123 aĎĪabc | ĀaĂċ123 aĎĪabc | no | ıaŅŵ12 3aźĺabc | CADP for .NET Core is performing FPE encryption as single data. All the characters are encrypted and preserving the positions of 1,2,3,a,b,c as they do not belong to charset range provided. |
| ĀĂċĎĪ | ĀĂċĎĪ | yes | ćœŖŽď | CADP for .NET Core is performing FPE encryption as single data. All the characters are encrypted as there are no special characters. |
| ĀĂċaĎĪa123ab cvĂĂĜĞĶĀĂċaĎĪa 123abcvĂĂĜĞĶa bc1aa2 3ĀĂċaĎĪa123 abcvĂĂĜĞĶ | ĀĂċaĎĪa123 abcvĂĂĜĞĶĀĂċaĎĪa123 abcvĂĂĜĞĶabc1a a23ĀĂċaĎĪa1 23abcvĂĂĜĞ | Yes (since Maxb = 26 and Cardinality = 128) | ŦĖŶaĖş a123abcvŢĄĴĵ ĕĘėīaŵĺa123abcv ŎřČĽıabc1aa23 ŤĔťaĤĤa123ab cvőĉŞŹ | CADP for .NET Core is preserving all special characters. CADP for .NET Core is performing FPE encryption as single data. |
Use case 4
Data element: Name
Cardinality set: a to z
Algorithm: FPE/AES/CARD26
Maxb = 40
| Actual Input Data | Input Data to Crypto API | IV Required | Output | Remarks |
|---|---|---|---|---|
| “John Smith” | “john smith” | no | "kesv wqfkn" | All the uppercase letters are converted to lowercase. CADP for .NET Core is preserving (space) as special character. CADP for .NET Core is performing CARD26 encryption as single data(lowercase) with space removed (datasize = 9 characters). |
| "Mrs. ANNA TERESA" | "mrs. Anna teresa" | no | "pth. whts bgftds" | All the uppercase letters are converted to lowercase.<br CADP for .NET Core is preserving (space and '.') as outside cardinality character. CADP for .NET Core is performin CARD26 encryption as single data(lowercase) with space removed (datasize = 13 characters). |
| "Mrs. ANNA BERTHA CECILIA DIANA EMILY FANNY QUINCEREBECCA SARAH TERESA" | "mrs. anna bertha cecilia diana emily fanny quincerebecca sarah teresa" | yes | "gkh. stet fnrsps lspjqka amgtq ftnso liseq eudnze-skypeqv ewqlg ybdnlh" | All the uppercase letters are converted to lowercase. CADP for .NET Core is preserving (space, '.' and '-’) as outside cardinality character. CADP for .NET Core performing CARD26 encryption as single data (lowercase) with space removed (datasize = 59 characters). IV of 40 bytes required. |
Use case 5
Data element: Latin Extended-A
Cardinality set: Special characters using charset as “0100-0105”
Algorithm: FPE/FF1v2/UNICODE
| Input Data | Charset | Encrypted | Remarks |
|---|---|---|---|
| ĀĂċĎĪ123 | 0100,0101,0102,0103,0104,0105 | ĀăċĎĪ123 | CADP for .NET Core is performing FPE encryption as single data. All the characters are encrypted and preserving the 1, 2, 3 positions as they don't belong to charset range provided. |
| ĀĂċĎĪ | 0100,0101,0102,0103,0104,0105 | ĂĂċĎĪ | CADP for .NET Core is performing FPE encryption as single data. All the characters are encrypted as there are no special characters. |
Use case 6
Data element: Latin Extended-A
Cardinality set: Special characters using charset as “0100-0105”
Algorithm: FPE/FF3/UNICODE
| Input Data | Charset | Encrypted | Remarks |
|---|---|---|---|
| ĀĂċĎĪ123 | 0100,0101,0102,0103,0104,0105 | āĀċĎĪ123 | CADP for .NET Core is performing FPE encryption as single data. All the characters are encrypted and preserving the 1, 2, 3 positions as they do not belong to charset range provided. |
| ĀĂċĎĪ | 0100,0101,0102,0103,0104,0105 | āăċĎĪ | CADP for .NET Core is performing FPE encryption as single data. All the characters are encrypted as there are no special characters. |
Use case 7
Data element: Latin Extended-A
Cardinality set: Special characters using charset as “0100- 017F”
Algorithm: FPE/AES/UNICODE
| Input Data | Charset | Encrypted | Remarks |
|---|---|---|---|
| ĀĂċĎĪĀĂċĎĪ123 | 0100-017F | ĆŃňĤĩĘĥŹłŠ Ī123 | CADP for .NET Core is performing FPE encryption as single data. All the characters are encrypted and preserving the 1, 2, 3 positions as they do not belong to charset range provided. |
| ĀĂċĎĪĀĂċĎĪ | 0100-017F | ŞĺŠČąėĨķćţ | CADP for .NET Core is performing FPE encryption as single data. All the characters are encrypted as there are no special characters. |
