Format Preserving Encryption
The FPE algorithm allows the user to perform encryption on well formatted data without affecting its format post encryption. The algorithm supports CARD10 cardinality for digits in range 0 - 9. The data to be encrypted must comprise of digits in the range 0-9. The table below provide details related to FPE.
Note
For local mode FPE, the input data length should be of minimum two characters.
FPE Related Information
The following table provides details of fields that are required for FPE.
Key | Non-versioned AES Keys. Key versions are not supported. |
Block Size | MAXb For CARD10 MAXb = 56 bytes |
Cardinality | CARD10 |
IV | FPE accepts a HEX encoded MAXb integer. IV is always provided but is used only if the length of data exceeds MAXb. FPE breaks long data into MAXb integer blocks and uses block chaining algorithm similar to CBC mode to perform encryption. — a 56 bytes IV in hex encoded form having a cardinality 10 when data size is > 56 bytes — A valid value of IV for FPE can be a 112 characters hex encoded s-integers (0-9) 04010300030406040903010 30705020505030507040108 08010202070402070201030 40704000901050206030000 02020906070004010200 |
Key Size (in bits) | — 128 — 192 — 256 |
Identifier Strings | FPE/AES/CARD10 |
Tweak Algorithm | Hashing algorithm to be applied to specified tweak data beforehand. Valid value: — NONE — SHA1 — SHA256 |
Tweak Data | Tweak data uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. It accepts any ASCII value for SHA1 and SHA 256 and any valid hex encoded value for “NONE” like "1111111111111111". If tweak data algorithm is “NONE”, the value must be HEX encoded string representing 64 bit long (hence, HEX encoding will consume 16 characters.). If tweak data algorithm represents a SHA1/SHA256 argument then the tweak data need not be hex encoded string but any ASCII string. |
Additional Notes | Base encoding of "B 16" is not recommended to be used with FPE as the output is always in readable format for which there is no need to perform B16 encoding. |
Supported Data Types
The following table shows the supported data types. Data types that do not appear in this list cannot be encrypted with FPE.
Data Type | Data Types |
---|---|
BIGINT | SMALLINT |
INT | CHAR |
VARCHAR |