HPE Format-Preserving Encryption Gets FIPS Validated | eWeek

HPE Secures FIPS Validation for Format-Preserving Encryption

Format Preserving Encryption
Apr 14, 2017
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Hewlett Packard Enterprise reached a major milestone this week, announcing on April 13 that its Format-Preserving Encryption (FPE) technology is now Federal Information Processing Standards validated. Terence Spies, chief technologist at HPE Security, said getting its FPE technology FIPS validated has been a long process.

“We invented Format-Preserving Encryption back in 2007,” Spies told eWEEK.

FIPS validation is important because it enables a technology to be used within government agencies and industries that require validation before technologies can be widely used. The FIPS standards are maintained by the U.S. National Institute of Standards and Technology (NIST).

The basic idea behind FPE is to use a cipher like Advanced Encryption Standard (AES) that produces output that has the same format as the input, according to Spies. So, for example, if a credit card number is put into an FPE system, a credit card number can be taken out, but with selected digits randomized. FPE uses a sophisticated approach that uses 10 AES encryption functions. Using 10 AES functions provides a strong level of encryption that outputs data of the same length as the original data, he said.

A common approach for online data is for organizations to use a simple mathematical hashing function to effectively hide data from potential attackers. FPE is more robust than basic hashing approaches, Spies said.

“FPE is a one-to-one algorithm, so there are no collisions and the underlying database is very clean,” he said. “With FPE, it’s also easy for enterprises to keep data in the cypher text format.”

Spies added that HPE wants enterprises to encrypt data with FPE and then use the corresponding cypher text, as if they were using the original data itself. So, for example, if a credit card number was encrypted with FPE, the FPE cypher text could then be used directly, without the need to store the data in an unencrypted format.

“With FPE being FIPS certified now, enterprises can go back to an auditor and say the cryptography has been validated by NIST,” he said.

FPE is used by retailers to help keep payment data secure, according Spies. It can be installed in a point-of-sale (PoS) terminal and is also used by HPE SecureData customers to keep personally identifiable information (PII) secure for web transactions. Customers will, however, likely require an end-to-end HPE SecureData setup to fully benefit from FPE.

“There is nothing truly interoperable today, since in addition to FPE, there is also key management and the associated protocols on top,” Spies said. “There isn’t really a complete end-to-end standard for all the pieces.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.