Tokenisation and format preserving encryption,

| 08-09-2011 | Cauchie stéphaneCarte & Identification 2011

08 Septembre 2011

Transactional services. Powering progress © Confidential1

TokenizationFormat Preserving EncryptionA Case studyCartes & Identification 2011


Summary

2

What is Tokenization in two words

Definition & FunctionalitiesUse cases

How does it work ?Random Token SystemFormat Preserving Encryption

Conclusion


What is tokenization in two words [DEFINITION]

▶ Definition– Tokenization is a process of replacing sensitive data by non sensitive ones

(tokens) with respect of the following properties:• Tokens bears enough information to be useful (e.g. The entity manipuling

token can accomplish transaction as it was the sensitive data).• Tokens does not compromise security

– Tokenization system tries to minimize the integration impact on existing infrastructure

▶ Who offer such service

3


What is tokenization in two words [FUNCTIONALITIES]

▶ Function description of a Tokenization system– Conversion (Convert sensitive data into a token and vice versa)– Conversion policy (Format definition, Mode of operation)– Communication Canal : Authentication, Integrity, Confidentiality

4

TokenizationSystem

ExternalSystem


What is tokenization in two words [USE-CASES]

▶ Focusing on payment (but not limited to)– Context :• Sensitive data : PAN,…• PCI compliancy

– Use cases• MOTO• Face2Face

5

CardHolder

AcquirerIssuer

Acceptor




– Use cases• MOTO• Proximity payment

6

CardHolder

AcquirerIssuer

Acceptor

E2E-Encryption





7

CardHolder

AcquirerIssuer

Acceptor

Secure MOTO





8

CardHolder

AcquirerIssuer

Acceptor

Process transaction


Summary

9




Conclusion


Tokenization and Format Preserving Encryption: A Case Study

▶PCI-DSS(Payment Card Industry Data Security Standard) : • Security requirements for entities processing cards data

(processing, transmission and storage)▶Objectives: • Reduce PCI evaluation perimeter• Choose a suitable algorithm that tokenize a PAN

▶Constraints:• The algorithm must be collision free• In a certain mode the algorithm must be “not reversible”• In certain mode the algorithm must not takes secret parameters

10

How does it works ? [Objectives-Constraints]


How does it works [RandomToken]

▶ Random Token– Card data are • ciphered (classic algorithms)• stored in a database

– System generate an associated token• Format respect• Checks for no Collision

11



Summary

12




Conclusion


▶ FPE : Format Preserving Encryption.

▶ Introduced by Brightwell [BS97]o Encryption scheme with

o format preserving property▶ Format definition is a key point– Follow PCI guidelines : • you have to differentiate a Token from a PAN

▶ NIST is considering 3 FPE algorithms

▶ Applications :• Security Social Number• Credit Card Number

13

How does it works [FPE based tokenization]


First introduction of Format Preserving

Encryption [BS97]


▶ NIST is considering 3 FPE algorithms• FFX [FFX10]• BPS [BPS10]• FCEM [FCEM10]

14

How does it works [FPE based tokenization]


FFX BPSFCEM


▶ Feistelo Inventé par Horst Feistel .o Round notiono Input are split in 2o F : cipher functiono Secret key Ko Key Derivation algorithmo During a round

Ai+1 = Bi

Bi+1 = Ai Fki(Bi)o Example

DES : 16 tours.

+

How does it works [Cryptographic-Approach]



Feature FFX BPS FCEMFeistel based Yes Yes No#Rounds 12 8 2Cipher function AES AES/TDES/SHA AES#Function is used 12 8 8Reversibility Yes Yes YesTweak Yes Yes No

16

How does it works [Cryptographic-Approach]


▶ Cryptographic notions– Tweak Notion : Add variability in cryptographic schemes– Patarin attack : Differentiate ciphertext from random string


Feature Random Token FPEMulti Site Difficult MediumKey deployment Medium HardFormat preserving Easy EasyPerformance Low FastToken/Data link No (except in DB) Algorithm

17


How does it works [Analysis]


Summary

18




Conclusion


Conclusion [VISION]

▶ Which choice ?

19

CardHolder

AcquirerIssuer

Acceptor

Secure MOTO

Process transaction

FPE

RTS

E2E-Encryption

FPE FPE



▶ Tokenization in payment context It allows the reduction of PCI audit perimeter in a payment application Waiting for NIST approval.

▶ Depending on use case: Random Tokenization:

In case of internal processing

FPE based Tokenzaton In case of multi site, In case of multi-party protocols

20


Conclusion []

| 08-09-2011 | Cauchie stéphaneCarte & Identification 2011Transactional services. Powering progress

atos.net

Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud and Atos WorldGridare registered trademarks of Atos SA. August 2011© 2011 Atos. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos.

© Confidential

Questions ?References Title[BS97] Brigthwell, Michael & Smith

Using datatype preserving encryption to enhance data warehouse security.20th National Information Systems Security Conference, NIST, 1997.

[FFX10] Bellare M, Rogaway P & Spies TThe FFX Mode of Operation for Format preserving Encryption. 2010.

[BPS10] Brier E, Peyrin T & Stern JBPS : a format Preserving Encryption Proposal. Ingenico, 2010.

[FCEM10] Ulf T MatssonFormat preserving Encryption Using Datatype preserving Encryption. 2010.

[SEC2] Certicom Research. SEC2 : Recommended Elliptic Curve Domain Parameters. 2000.

[BSGS] D. Shanks. Five number-theoretic algorithms. Proceeding of the second Manitoba Conference on Numerical Mathematics. 1975.

[RHO] J.M. Pollard. A monte carlo method for factorization. 1978.

[CI] Pierrick Gaudry. Algorithmiques des courbes algébriques pour la cryptologie. 2008

[PCI] Scoping SIG, Tokenization Tasforce, PCI Security Standards Council. PIC-DSS. 2011



BPS

Survey on FPE



▶ BPS :

▶ Autor: Brier E, Peyrin T & Stern J.

▶ Published in 2010.

▶ BPS : "a Format Preserving Encryption Proposal ".

▶ Features:• 8 round.• Tweak of 64 bits split in 2 sub tweak

o TL et TR• F : AES or one way function.• K : secret key• reversible.• Patarin resistant.

Survey on FPE



▶

24

Survey on FPE



FFX

Survey on FPE



▶ FFX :

▶ Autors : Bellare M, Rogaway P & Spies T.

▶ Published in 2009 and 2010.

▶ FFX : "Format Preserving Feistel-based Encryption"

▶ Features:• 12 round,• 64 bits tweak,• FK : AES-128 or one-way function• K : secret key• reversible

26

Survey on FPE



FCEM

Survey on FPE



▶ Autor :Ulf T Matsson.

▶ Published in 2009.

▶ FCEM : "Format Controlling Encryption Mode".

▶ Features:• 8 steps

o Index Value Datao Encryption of Lefto Encryption of Righto Scrambledo Rippled Left to Righto Rippled Right to Lefto Encryption and Updateo The last transformation

• F : AES-128 • K : secret key• reversible

Survey on FPE



▶ Index Value data :• Rewriting input as hexa values.• Example:

o X : 1122334455667788o Index Value data : 01010202030304040505060607070808

▶ Encryption of Left :• left part encryption• Example :

o Index Value data : 01010202030304040505060607070808o Sortie de FK: 00C01F49D0C2C050188D8FDFADCDF846o RightUpdate : 0507070905010008

▶ Encryption of Right : • Same idea• We get LeftUpdate : 0101080503060303

29

Survey on FPE



▶ Scrambled :• Concat LeftUpdate and RightUpdate .• Example:

o CipherScrambled : 01010805030603030507070905010008

▶ RippledLeftToRight :• Scrambled modifying by :

o CipherScrambled : 01010805030603030507070905010008o 01 ⊕ 01 = (0 × 16) + 1 + (0 × 16) + 1 = 02 ≡ 02 (mod10). o RippledLeftToRight = 0102 o RippledLeftToRight = 01020005080407000503090803040402

▶ RippledRightToLeft : • Same idea• RippledLeftToRight = 04030101060804070702000103000602

Survey on FPE



▶ Encryption and Modular Sum :• RippledLeftToRight : 04030101060804070702000103000602

Survey on FPE


Technology

Tokenisation and format preserving encryption,