FFX Modes of the AES Encryption Algorithm Specified in NIST’s SP 800-38G

The National Institute of Standards and Technology (NIST) recently approved two new modes of the AES encryption algorithm for US government use. These modes are examples of that NIST calls “format-preserving encryption” (FPE), and are called “FF1” and “FF3.” (The original draft of the FFX specification also included an FF2 mode, but it was withdrawn after an analysis of it discovered a cryptographic weakness.)

NIST uses the term “FFX” to describe a general approach to format-preserving encryption (FPE), and the FF1 and FF3 modes are specific instances of it. NIST Special Publication (SP) 800-38G, “Recommendations for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption,” specifies these modes.

Ciphertext from an encryption algorithm usually looks very different than the corresponding plaintext. If we encrypt the plaintext string “4111111111111111” using AES-ECB, for example, we might get a string like “MKSqwaywf4N8i9gEci4yTUTPalvnQBlBi+Uz6j1Tjig=” for our ciphertext.

If the original string represented a credit card number, the encrypted version will not look like a credit card number at all. It will contain characters other than the digits 0 through 9, and will be longer than the typical 16-character plaintext credit card number (This example shows a Base64 encoding of the ciphertext to ensure that we have printable characters. Otherwise, most of the ciphertext will probably be non-printable characters.).

Changing the format of datacan cause problems in many of today’s legacy IT environments because some applications can only handle data that has a particular format, and modifications that work around this issue can be very expensive.

An approach that works well in many cases is to adapt the data to the environment instead of adapting the environment to the data, and one way to do this is to implement encryption in such a way that ciphertext has the same format as the corresponding plaintext.

This may be easy to do, but it is not easy to do securely.

To get ciphertext that has the same format as the corresponding plaintext, researchers have proposed many versions of FPE. The technology dates back to at least 1981, when the original US government guideline for implementing the Data Encryption Standard (DES) (FIPS PUB 74, “Guidelines for Implementing the NBS Data Encryption Standard,” April 1981) included a description of how to use DES encryption in a way that preserved the format of data on a character-by-character basis – mapping a decimal digit to another decimal digit, for example.

Over the following years, researchers proposed various other ad hoc approaches to FPE, but in 2002 cryptographers John Black and Phil Rogaway described three approaches to FPE and proved that they were secure. The FFX modes represent the evolution of one of these approaches, and are a significant step forward in applied cryptography.

In January 2016, at the Real World Cryptography Conference 2016, Dr. Rogaway was recognized for his contributions to practical applications of cryptography when he was awarded the first annual Levchin Prize. The Levchin Prize web site gives this as the reason for this award: “Rogaway is considered a giant in the field of symmetric encryption.  He was given the Levchin Prize for his work on authenticated encryption and format preserving encryption.”

HPE Security – Data Security Chief Technologist Terence Spies noted the relevance of NIST’s acceptance of FPE. “The recognition of FPE technology by the first Levchin prize was significant,” said Spies, “but the recognition of the FFX modes by NIST is even a more significant milestone in the acceptance of the technology.”

“The private sector has already embraced FPE technology,” continued Spies. “Today, it protects billions of payments transactions each day. It is used in healthcare processes, in airline processing systems, in mobile applications, in big data applications (including Hadoop), in web transactions, and in enabling organizations to move sensitive data to the cloud while retaining total control over their data.”

HPE Security – Data Security Global Director of Product Management Mark Bower also commented on this newsworthy event. “With data breaches affecting government agencies,” said Bower, “the need for proven and government-ready data security standards has never been higher. HPE welcomes NIST’s acceptance of this powerful new technology into the NIST AES modes standards.”

“The NIST recognition sets the bar for data-centric security,” continued Bower. “Not all Format-Preserving Encryption techniques are the same. With the rush to market from leading organizations demanding new data-centric security approaches to secure data to enable new business strategies and reduce breach risks, vendors have rushed to market with a range of proprietary methods which must to be assumed to be weak until proven, peer reviewed, published and standards accepted, as with NIST. This is critical for regulatory compliance and audit scrutiny. Any organization using data secured with a proprietary method without recognition like NIST may in fact be inadvertently causing a data breach due to the unproven nature of the method.”

FFX technology is available in a range of HPE Security – Data Security products that secure enterprise data, as well as payments, web, mobile and cloud data. Contact us to learn more about a license program for third partie