HPE Secures FIPS Validation for Format-Preserving Encryption

A decade after first inventing Format-Preserving Encryption, Hewlett Packard Enterprise now has a key government stamp of approval.

Format Preserving Encryption

Hewlett Packard Enterprise reached a major milestone this week, announcing on April 13 that its Format-Preserving Encryption (FPE) technology is now Federal Information Processing Standards validated. Terence Spies, chief technologist at HPE Security, said getting its FPE technology FIPS validated has been a long process.

"We invented Format-Preserving Encryption back in 2007," Spies told eWEEK.

FIPS validation is important because it enables a technology to be used within government agencies and industries that require validation before technologies can be widely used. The FIPS standards are maintained by the U.S. National Institute of Standards and Technology (NIST).

The basic idea behind FPE is to use a cipher like Advanced Encryption Standard (AES) that produces output that has the same format as the input, according to Spies. So, for example, if a credit card number is put into an FPE system, a credit card number can be taken out, but with selected digits randomized. FPE uses a sophisticated approach that uses 10 AES encryption functions. Using 10 AES functions provides a strong level of encryption that outputs data of the same length as the original data, he said.

A common approach for online data is for organizations to use a simple mathematical hashing function to effectively hide data from potential attackers. FPE is more robust than basic hashing approaches, Spies said.

"FPE is a one-to-one algorithm, so there are no collisions and the underlying database is very clean," he said. "With FPE, it's also easy for enterprises to keep data in the cypher text format."

Spies added that HPE wants enterprises to encrypt data with FPE and then use the corresponding cypher text, as if they were using the original data itself. So, for example, if a credit card number was encrypted with FPE, the FPE cypher text could then be used directly, without the need to store the data in an unencrypted format.

"With FPE being FIPS certified now, enterprises can go back to an auditor and say the cryptography has been validated by NIST," he said.

FPE is used by retailers to help keep payment data secure, according Spies. It can be installed in a point-of-sale (PoS) terminal and is also used by HPE SecureData customers to keep personally identifiable information (PII) secure for web transactions. Customers will, however, likely require an end-to-end HPE SecureData setup to fully benefit from FPE.

"There is nothing truly interoperable today, since in addition to FPE, there is also key management and the associated protocols on top," Spies said. "There isn't really a complete end-to-end standard for all the pieces."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.