Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved modes has been broken. Since FPE is actively deployed within the payment industry this will have implications for payment security and users of this technology. But how bad is the problem? And if you happen to be affected, what can you do?
We've written about FPE on this blog before (see Learn More below). Our initial interest in FPE arose because, at first glance, it seemed to be too good to be true. We also wrote about some potential compliance issues that arise that have nothing to do with the strength of the cryptography used. When we first looked at FPE, NIST's backing provided much of the credibility. Frankly, we're not entirely surprised to see a break into FPE but we are surprised at how fast it happened.
NIST originally considered three FPE modes called FF1, FF2, and FF3, or generically FFx. FF2 did not survive to publication and now FF3 has been broken by researchers Betül Durak (Rutgers University) and Serge Vaudenay (Ecole Polytechnique Fédérale de Lausanne). A paper is expected to follow later this year. The attack they developed is more effective on shorter data and should be computationally feasible on FPE-PAN. It remains to be seen if it will be feasible in real-world payment security use cases.
From the NIST announcement:
Recent years have seen changes over RSA-1024, RC4, SSL and early-TLS, and SHA-1 mandated by organizations like the PCI Council and the Certificate and Browser Authority which rely on NIST. Because PCI standards rely heavily upon NIST for guidance on strong cryptography and unless FF3 can be fixed, we expect its use will have to be phased out. This will impact merchants, 3rd party service providers, payment application vendors, and payment terminal manufacturers.
Here are 7 things you should do if you are using any FPE solutions in your payment environment:
So what are we concerned and not concerned about?