FPE Properties
The FPE properties are specified when creating a data element with FPE method.
The following table describes the properties provided by FPE.
Table: FPE Properties
FPE Property | Description |
User configured FPE properties | |
Name | Unique name that identifies the FPE data element. |
Protection Method | FPE NIST 800-38G NIST 800-38G is the recommended FPE specification by NIST that identifies the supported FPE cipher. |
Plaintext Alphabet | Plaintext alphabet type of the data that is to be encrypted. The following data types are supported for encryption:
The plaintext alphabet maps to code points that denotes a range of accepted characters. For more information about code point mappings, refer to Code points. |
Minimum Input Length | The default minimum supported input data length is 2 bytes and configurable up to 10 bytes. The default minimum supported input length for Credit Card Number (CCN) is 8 bytes and configurable up to 10 bytes. |
Tweak Input Mode | The tweak input process ensures that the same data in different position encrypts to a unique value. Tweak input can be derived from the following options:
|
From Left | Number of characters from left to retain in clear in encrypted output. |
From Right | Number of characters from right to retain in clear in encrypted output. |
Allow Short Data | Data is considered short when the amount of encrypted characters is less than the "Minimum Input Length". Based on whether the short data is supported or not, the possible options are "No, generate error", or "No, return input as it is". This is supported by Numeric and Alpha-Numeric data types only. The FPE does not support data less than 2 bytes, hence you can set the minimum input length value accordingly. For more information about short data support, refer to Length Preserving. |
Special numeric alphabet handling | Here are the specific options for numeric data type validation with different Credit Card Number (CCN) checks:
|
Read-only FPE properties | |
Ciphertext Alphabet | Ciphertext alphabet type of the encrypted data. This property value is same as the Plaintext Alphabet value. |
Key Input | Internally generated by the active Key Store. For more information about the key store, refer to Key Store. |
FPE Mode | Mode of operation for the block cipher algorithm with FF1 as the supported mode. |
Pseudorandom Function (PRF) | Block cipher algorithm that is used for encryption with AES-256 as the supported algorithm. |
Feistel Rounds | 10 |
Max tweak length | The maximum supported tweak input length is 256 bytes. |
Support Delimiters | Any input other than the supported data type is treated as a delimiter. If the input contains only delimiters, then the output value is equal to the input. By default, delimiters are supported for Numeric and Alpha-Numeric data type. Credit Card Number (CCN) data type does not support delimiters. |
Preserve Length | The length preservation setting is true for:
|
Other FPE properties | |
Maximum Input Length (including delimiters) | The following are the maximum input lengths for the supported data types:
The recommended maximum input size for the FPE data elements is 4096 characters. The performance decreases as the input length increases. |
Table: Examples of Format Preserving Encryption
| Input Value | Encrypted Value | Comments |
|---|---|---|
| 123456789012345 | 187868154999435 | Plaintext alphabet – Numeric Tweak Input – Extract from Input Message Left=1, Right=1 Allow Short Data = No, return input as it is Minimum Input Length=3 |
| Protegrity1234567 | PyNqSJybYp1234567 | Plaintext alphabet – Alpha Tweak Input – API Argument Left=1, Right=0 Allow Short Data = No, generate error Minimum Input Length=2 |
| Protegrity1234567 | ProZSNbyADNoPb2ns | Plaintext alphabet – Alpha-Numeric Tweak Input – Extract from Input Message Left=3, Right=0 Allow Short Data = No, return input as it is Minimum Input Length=10 |
| 43211234567890 | 76454340562108 | Plaintext alphabet – CCN Tweak Input – Extract from Input Message Left=0, Right=0 Allow Short Data = No, generate error Minimum Input Length=9 Invalid Card Type=True |
| þrõtégrîtÝ@123456789 | þràñTÿwõùÞ@123456789 | Plaintext alphabet – Unicode Basic Latin and Latin1 Supplement Alpha Tweak Input – Extract from Input Message Left=2, Right=1 Allow Short Data = No, generate error Minimum Input Length=4 |
| þrõtégrîtÝ@123456789 | þrWtçjÑHÿÖ@9íKLksvp9 | Plaintext alphabet – Unicode Basic Latin and Latin1 Supplement Alpha-Numeric Tweak Input – API Argument Left=2, Right=1 Allow Short Data = No, return input as it is Minimum Input Length=6 |
FPE Support for Protectors
- The maximum supported input length differs for different protectors based on the input length supported by the protector.
For more information maximum supported input length for different protectors, refer to Minimum and Maximum Input Length. - The maximum input length supported by the PTY.INS_UNICODENVARCHAR2 UDF for the Oracle Database Protectors is 2000 characters.
- If you are using Format Preserving Encryption (FPE) with Teradata UDFs, you can extend the maximum data length size provided by these UDFs, which is up to 47407 bytes by default.
- Starting from v10.0.x, the Format Preserving Encryption (FPE) is only supported by the following UDFs in Teradata Protector:
- pty_varcharunicodeins
- pty_varcharunicodesel
- pty_varcharunicodeselex
The maximum data length size for these UDFs can be modified in the createvarcharunicode.sql file.For more information about updating the output buffer parameter, refer to Updating the Output Buffer for the Teradata UDFs.
- The REPLACE_UDFVARCHARTOKENMAX parameter value for these functions can be set up to 64000. Teradata supports the maximum row size length of approximately 64000 bytes.
- Starting from v10.0.x, Masking is not supported for FPE data elements as the default encoding set is UTF-8.
- For FPE data elements, the External IV is only supported with the Alpha, Numeric, and Alpha-Numeric plaintext alphabets.
- The string as an input and byte as an output API is unsupported by FPE data elements for the AP Java and AP Python.
For more information about empty string handling by protectors, refer to Empty String Handling by Protectors.
Feedback
Was this page helpful?