7 Things You Can Do To Deal With The Recent Format Preserving Encryption (FPE) Compromise

April 26 2017

Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they’ve issued a news release that one of the approved modes has been broken. Since FPE is actively deployed within the payment industry this will have implications for payment security and users of this technology. But how bad is the problem? And if you happen to be affected, what can you do?

A Closer Look At NIST and FPE

We’ve written about FPE on this blog before (see Learn More below). Our initial interest in FPE arose because, at first glance, it seemed to be too good to be true. We also wrote about some potential compliance issues that arise that have nothing to do with the strength of the cryptography used. When we first looked at FPE, NIST’s backing provided much of the credibility. Frankly, we’re not entirely surprised to see a break into FPE but we are surprised at how fast it happened.

NIST originally considered three FPE modes called FF1, FF2, and FF3, or generically FFx. FF2 did not survive to publication and now FF3 has been broken by researchers Betül Durak (Rutgers University) and Serge Vaudenay (Ecole Polytechnique Fédérale de Lausanne). A paper is expected to follow later this year. The attack they developed is more effective on shorter data and should be computationally feasible on FPE-PAN. It remains to be seen if it will be feasible in real-world payment security use cases.

From the NIST announcement:

  • NIST has concluded that FF3 is no longer suitable as a general-purpose FPE method.
  • FF3 clearly does not achieve the intended 128-bit security level
  • The researchers proposed a straightforward modification (i.e. fix) to FF3
  • NIST expects to revise 800-38G either to change the FF3 specification, or to withdraw the approval of FF3.

Recent years have seen changes over RSA-1024, RC4, SSL and early-TLS, and SHA-1 mandated by organizations like the PCI Council and the Certificate and Browser Authority which rely on NIST. Because PCI standards rely heavily upon NIST for guidance on strong cryptography and unless FF3 can be fixed, we expect its use will have to be phased out. This will impact merchants, 3rd party service providers, payment application vendors, and payment terminal manufacturers.

What To Do Next

Here are 7 things you should do if you are using any FPE solutions in your payment environment:

  1. Don’t panic!
  2. Understand how you are using FPE so that you can analyze the risk in your particular use case(s)
  3. Contact and involve your encryption solution provider
  4. Understand which FPE algorithm you are using including key lengths and modes
  5. Plan for potential contingencies such as patching, logistics, costs, and timelines
  6. Monitor for new developments on this issue
  7. Update risk assessments and plans accordingly

So what are we concerned and not concerned about?

  • Based on the announcement, solutions using (randomized) format-preserving tokens won’t be affected by a cryptographic problem.
  • The non-cryptographic compliance problem of FPE data remains unchanged. It’s not a show stopper but it can be messy.
  • Currently, AES-FF1 is the only approved FPE mode.
  • Given that both FF2 and FF3 have been broken and broken relatively quickly, we can’t help but wonder about future attacks on a fixed-FF3 or FF1.

Learn More

_______________________________________________________________

Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant.

e-newsletter

Want important PCI information delivered to you? Sign-up to our e-newsletter and be the first one to know about industry news and trend, offers and promotions.

×

Contact

×

PCI Pilot™ is coming soon!

Our highly-anticipated online tool will be launching very soon to make your PCI SAQ process quick and seamless.

Sign-up today and be among the first to know when PCI Pilot™ is live!