On 17 May 2015 at 14:39, Phil Smith <[email protected]> wrote: > Format-preserving data protection methods achieve PCI DSS compliance while > enabling persistent, > data-centric security. “Format-preserving” means that the encrypted/tokenized > values look and feel > like plaintext: same length, same character set.
I've heard about this format-preserving encryption for a while, but haven't had the justification for spending time to really understand what goes on. But it seems to me on the face of it that any such encryption must be substantially weaker than what we usually think of as strong encryption. Surely for (e.g.) a 16-digit credit card number there are only 10**16 and probably effectively *many* fewer (given a check digit and the likelihood that the first and last four digits are far less secure than the middle eight) encrypted possibilities, compared to almost 2**64 or about 10**19 possibilities for an arbitrary 8-byte block of data. And then there's the difficulty of using CBC mode, or indeed anything other then plain old ECB, which leaves a database full of known and indeed close to chosen plaintext data to work with. Not meaning to hijack the thread (and I think I am staying relevant), but maybe you could explain what goes on in a few sentences. Doubtless good minds have spent a lot of time on this; if there's a short and to the point introduction somewhere I'd be happy to look at it. Thanks... Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
