Protegrity Format Preserving Encryption on

FPE Properties

Mon, 01 Jan 0001 00:00:00 +0000

The following table describes the properties provided by FPE.

Table: FPE Properties

FPE Property	Description
User configured FPE properties
Name	Unique name that identifies the FPE data element.
Protection Method	FPE NIST 800-38G NIST 800-38G is the recommended FPE specification by NIST that identifies the supported FPE cipher.
Plaintext Alphabet	Plaintext alphabet type of the data that is to be encrypted. The following data types are supported for encryption: Numeric Alpha Alpha-Numeric Unicode Basic Latin and Latin-1 Supplement Alpha Unicode Basic Latin and Latin-1 Supplement Alpha-Numeric The plaintext alphabet maps to code points that denotes a range of accepted characters. For more information about code point mappings, refer to Code points.
Minimum Input Length	The default minimum supported input data length is 2 bytes and configurable up to 10 bytes. The default minimum supported input length for Credit Card Number (CCN) is 8 bytes and configurable up to 10 bytes.
Tweak Input Mode	The tweak input process ensures that the same data in different position encrypts to a unique value. Tweak input can be derived from the following options: Extract from input message API Argument
From Left	Number of characters from left to retain in clear in encrypted output.
From Right	Number of characters from right to retain in clear in encrypted output.
Allow Short Data	Data is considered short when the amount of encrypted characters is less than the "Minimum Input Length". Based on whether the short data is supported or not, the possible options are "No, generate error", or "No, return input as it is". This is supported by Numeric and Alpha-Numeric data types only. The FPE does not support data less than 2 bytes, hence you can set the minimum input length value accordingly. For more information about short data support, refer to Length Preserving.
Special numeric alphabet handling	Here are the specific options for numeric data type validation with different Credit Card Number (CCN) checks: None - No specific check is applied Different Credit Card Number (CCN) check can be applied. For example; "Invalid Luhn", "Invalid Card Type", and "Alphabetic Indicator".
Read-only FPE properties
Ciphertext Alphabet	Ciphertext alphabet type of the encrypted data. This property value is same as the Plaintext Alphabet value.
Key Input	Internally generated by the active Key Store. For more information about the key store, refer to Key Store.
FPE Mode	Mode of operation for the block cipher algorithm with FF1 as the supported mode.
Pseudorandom Function (PRF)	Block cipher algorithm that is used for encryption with AES-256 as the supported algorithm.
Feistel Rounds	10
Max tweak length	The maximum supported tweak input length is 256 bytes.
Support Delimiters	Any input other than the supported data type is treated as a delimiter. If the input contains only delimiters, then the output value is equal to the input. By default, delimiters are supported for Numeric and Alpha-Numeric data type. Credit Card Number (CCN) data type does not support delimiters.
Preserve Length	The length preservation setting is true for: Numeric Alpha Alpha-Numeric Unicode Basic Latin and Latin-1 Supplement Alpha Unicode Basic Latin and Latin-1 Supplement Alpha-Numeric
Other FPE properties
Maximum Input Length (including delimiters)	The following are the maximum input lengths for the supported data types: Numeric – 2 GB Alpha – 2 GB Alpha-Numeric – 2 GB Unicode Basic Latin and Latin-1 Supplement Alpha – 2GB Unicode Basic Latin and Latin-1 Supplement Alpha-Numeric – 2 GB Credit Card – 4096 bytes The recommended maximum input size for the FPE data elements is 4096 characters. The performance decreases as the input length increases.

Table: Examples of Format Preserving Encryption

Code Points

Mon, 01 Jan 0001 00:00:00 +0000

The Unicode Standard is a character encoding system that supports the processing and representation of text from diverse languages. It includes various character encoding schemes, such as UTF-8 and UTF-16, which use character code points as input and generate encoded numeric values using pre-defined formulas.

The Unicode code space is divided into 17 planes:

Basic Multilingual Plane (BMP): Contains the most commonly used characters.
16 Supplementary Planes

Format-Preserving Encryption (FPE) supports encryption for BMP with Basic Latin (ASCII) and Latin-1 supplement blocks of characters.

Tweak Input

Mon, 01 Jan 0001 00:00:00 +0000

The tweak input is derived through either of the following methods:

Extract from input message - If the tweak is set to be derived from input message, then the left and right property settings are used as a configurable tweak option.
API argument - If the tweak is set to be derived through API argument, then the tweak value is provided as an input parameter through the API during the protect or unprotect operation.

The resultant tweak input is zero for the following conditions:

Left and Right Settings

Mon, 01 Jan 0001 00:00:00 +0000

Starting from v10.0.x, the new FPE data elements created with the Left and Right settings cannot be deployed to the previous versions of protectors.

It is recommended not to use the Left and Right settings for the FPE token as these settings are not present in the version of FPE that has been approved by NIST. If you use the Left and Right settings, then it reduces the strength of the FPE token.

Handling Special Numeric Credit Card Data

Mon, 01 Jan 0001 00:00:00 +0000

The Format Preserving Encryption (FPE) for Credit Card Number (CCN) is handled by configuring numeric data type as the plaintext alphabet. The following default settings for CCN are applicable:

Credit Card Number (CCN) data type does not support delimiters.
Short Data Encryption is not supported by CCN. The CCN supports a minimum input length of 8 bytes.

For more information about Invalid Card Type (ICT), Invalid Luhn, and Alphabet Indicator validation for CCN, refer to Credit Card.