Format Preserving Encryption (FPE) format preservation details

I have been trying out https://github.com/idealista/format-preserving-encryption-java.git and https://github.com/ubiqsecurity/ubiq-fpe-java. I have also been reading https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38Gr1-draft.pdf.

Am I right in thinking that if I have a card number 4111-1111-1111-1111 with "-" or space as separator in plain text. If I have a requirement that in the resulting cipher post encryption the "-" or space should retain its position in the text and only the remaining is text is encrypted that's outside the scope of FPE.

If I were to include "-" in the alphabet in the resulting cipher "-" would be treated only as just another alphabet and FPE won’t preserve it occurring at same indexes in plain text and cipher text.

If I need to do this I must manage it as a layer on top of the FPE using string manipulation.

Also if I need that the first four numerical digits don’t get encrypted then that also I must manage myself and it’s not in scope of FPE.

Right?

Short Answer

The dashes are just formatting, they don't carry information. They are meaningless with regards to encryption. Remove the dashes and put them back after encryption.

Long Answer

A way to think about FPE is this: You have a super long list of all the possible "plain text" credit card you want to encrypt in column A. They might be valid or not. Line 1 will have 1111-1111-1111-1111 and the last line will have 9999-9999-9999-9999.

You shuffle-copy that list to column B so that for every card number in column A there is now an unrelated credit card number in column B. The encryption key you use for FPE controls the shuffle process. More details on that here.

Like the source list, the FPE encrypted numbers might be valid or not. Since you don't control the shuffle algorithm, if you want that all the numbers to be valid, you must:

1. Remove the information you want to keep
2. Encrypt the middle part
3. Make the number "valid" again.

With credit card numbers, there are probably 2 pieces of information you want to keep:

• The first digit(s) is/are the Issuer Identification number.
• The very last digit, the Luhn check digit

If you want to keep the IIN, you must remove the leading digits prior to FPE encryption and put them back after.

If you want to have a valid Luhn check digit at the end, you must remove it prior to encryption, then compute it back in after encryption.

Keep in mind that every original digit you keep makes the encryption weaker. Chances are you only need the encrypted card numbers to match between themselves, like matching transactions in logs. You don't need any original digits, as long as you always get the same encrypted output for a given card.

One last thing you could worry about is key rotation. If you ever need to change your key, because of PCI DSS requirements maybe, then might have to FPE re-encrypt the numbers already on file so they match the ones encrypted with the new key.