7 Things You Can Do To Deal With The Recent Format Preserving Encryption (FPE) Compromise

Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved modes has been broken. Since FPE is actively deployed within the payment industry this will have implications for payment security and users of this technology. But how bad is the problem? And if you happen to be affected, what can you do?

A Closer Look At NIST and FPE

We've written about FPE on this blog before (see Learn More below). Our initial interest in FPE arose because, at first glance, it seemed to be too good to be true. We also wrote about some potential compliance issues that arise that have nothing to do with the strength of the cryptography used. When we first looked at FPE, NIST's backing provided much of the credibility. Frankly, we're not entirely surprised to see a break into FPE but we are surprised at how fast it happened.

NIST originally considered three FPE modes called FF1, FF2, and FF3, or generically FFx. FF2 did not survive to publication and now FF3 has been broken by researchers Betül Durak (Rutgers University) and Serge Vaudenay (Ecole Polytechnique Fédérale de Lausanne). A paper is expected to follow later this year. The attack they developed is more effective on shorter data and should be computationally feasible on FPE-PAN. It remains to be seen if it will be feasible in real-world payment security use cases.

From the NIST announcement:

• NIST has concluded that FF3 is no longer suitable as a general-purpose FPE method.
• FF3 clearly does not achieve the intended 128-bit security level
• The researchers proposed a straightforward modification (i.e. fix) to FF3
• NIST expects to revise 800-38G either to change the FF3 specification, or to withdraw the approval of FF3.

Recent years have seen changes over RSA-1024, RC4, SSL and early-TLS, and SHA-1 mandated by organizations like the PCI Council and the Certificate and Browser Authority which rely on NIST. Because PCI standards rely heavily upon NIST for guidance on strong cryptography and unless FF3 can be fixed, we expect its use will have to be phased out. This will impact merchants, 3rd party service providers, payment application vendors, and payment terminal manufacturers.

What To Do Next

Here are 7 things you should do if you are using any FPE solutions in your payment environment:

1. Don't panic!
2. Understand how you are using FPE so that you can analyze the risk in your particular use case(s)
3. Contact and involve your encryption solution provider
4. Understand which FPE algorithm you are using including key lengths and modes
5. Plan for potential contingencies such as patching, logistics, costs, and timelines
6. Monitor for new developments on this issue
7. Update risk assessments and plans accordingly

So what are we concerned and not concerned about?

• Based on the announcement, solutions using (randomized) format-preserving tokens won't be affected by a cryptographic problem.
• The non-cryptographic compliance problem of FPE data remains unchanged. It's not a show stopper but it can be messy.
• Currently, AES-FF1 is the only approved FPE mode.
• Given that both FF2 and FF3 have been broken and broken relatively quickly, we can't help but wonder about future attacks on a fixed-FF3 or FF1.

Learn More

• NIST Request for Comments on FPE updates (New! Updated 2019-3-4)
• NIST: Recent Cryptanalysis of FF3 (link updated)
• NIST: Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption (link fixed)
• Must Format Preserving Encryption (FPE) be distinguishable from cardholder data for PCI?
• What is Format Preserving Encryption and is it suitable for PCI DSS?
• SHA-1 IS Dead!