New Security Standard from NIST

Wednesday, March 30, 2016 @ 11:03 AM gHale


For years, when a credit card ended up swiped, the number would remain stored on the card reader, making encryption difficult to implement.

It took a while, almost 10 years, but a new computer security standard published by the National Institute of Standards and Technology (NIST) not only will support methods vendors introduced to protect a card number, but the method could help keep personal health information secure as well.

RELATED STORIES
Joint Process Needed for Security Framework
Security Framework Grows in Usage
Securing Teleworker Attack Vector
ICS-CERT Releases CSET 7.1

NIST Special Publication (SP) 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption,” specifies two techniques for “format-preserving encryption,” or FPE.

The publication addresses a longstanding issue in software packages that handle financial data and other forms of sensitive information: How do you transform a string of digits such as a credit card number so it is indecipherable to hackers, but still has the same length and look of the original number.

The new techniques are more suitable for this purpose than NIST’s previously approved encryption methods, which ended up designed only for binary data – the frequently lengthy strings of 1s and 0s used by computers, said standards author Morris Dworkin. But because financial software – used in card readers and billing – often expects a credit card number to be the typical 16 digits long, encountering a lengthier encrypted number might cause problems in the software. The new FPE method works on binary and conventional (decimal) numbers — in fact, sequences created from any “alphabet” of symbols — and it produces a result with the same length as the original.

“An FPE-encrypted credit card number looks like a credit card number,” Dworkin said. “This allows FPE to be retrofitted to the existing, installed base of devices.”

The two FPE techniques, called FF1 and FF3 in the new publication, ended up vetted during public comment periods on the standard in 2009 and 2013.

While the main commercial impetus for developing these techniques is credit card number encryption, another potential application is the “anonymizing” of personally identifiable information from databases, particularly those containing sensitive medical information. Databases of this sort are invaluable for researching the effects of different treatment methods on diseases, for example, but they often use social security numbers to identify individual patients and can contain other personal information. FPE encryption could handle this problem as well, though Dworkin said in this case the approach would not necessarily be foolproof.

“FPE can facilitate statistical research while maintaining individual privacy, but patient re-identification is sometimes possible through other means,” he says. “You might figure out who someone is if you look at their other characteristics, especially if the patient sample is small enough. So it’s still important to be careful who you entrust the data with in the first place.”