Format-Preserving Encryption (FPE) in ‘FIPS Approved’ Mode

Written by Mark Minnoch | Jun 17, 2016 9:50:12 PM

The FIPS 140-2 Implementation Guidance (A.10) now includes vendor affirmation requirements for the format-preserving encryption schemes (FF1, FF3) specified in SP 800-38G.

As its name

suggests, format-preserving encryption transforms plaintext to ciphertext of the same format and length. For example, format-preserving encryption may be used for a legacy application that needs to protect 16-digit credit card numbers and 9-digit social security numbers in a database without having to change their storage allocations. FPE has saved a lot of headaches in these use cases, as you can imagine.

For ‘FIPS Approved’ operation, until Cryptographic Algorithm Validation Program (CAVP) testing becomes available specifically for FPE, vendors will need to complete CAVP testing for the underlying AES algorithm, make documentation updates, and affirm compliance to SP 800-38G. Alternatively, SafeLogic can help you strategize and complete this process as easily as possible.

If you have a customer requirement to provide format-preserving encryption with FIPS 140-2 validation, then please contact us today.

View full post