ANSI X9.124-5:2021 pdf free download – Symmetric Key Cryptography For the Financial Services Industry
1 Scope
The American National Standard (ANS) X9. 124, Format Preserving Encryption, defines a collection of methods for encrypting data strings so that the length and the character set for the ciphertext is the same as those of the plaintext.This is called format-preserving encryption (FPE). These methods are useful in situations where fixed-format data, such as Primary Account Numbers (PANs) or Social Security Numbers (SSNs), must be encrypted, but there is a requirement to limit changes to existing communication protocols, database schemata or application code. Part 1 of this standard (Reference 1) includes a set of definitions common to all FPE techniques, a security model for FPE block cipher techniques, and a description of the pseudocode language used in defining the mode specified in this document.
This document, part 5 of the Standard, defines requirements for using the AES or TDEA block cipher to perform FPE using a format-preserving Feistel-based mode known as FF3.1, which is part of the FFX family. The FFX method is a family of format-preserving block ciphers. FFX stands for Format-preserving Feistel-based where the X reflects a specific algorithm.
2 Purpose
The purpose of this standard is to provide an approved method for implementing the Format- Preserving Encryption – Feistel-Based, mode 3 (FF3.1) of format preserving encryption (FPE).
6.3.2 FF3.1-AES
The FF3.1.Encrypt and FF3.1.Decrypt routines can be used with the FF3.1-AES functions in this section to form an FPE block cipher mode based on AES. In this case, the FF3.1 .check function is mapped to FF3.1.AES.check, and the FF3.1.PRF function is mapped to FF3.1.AES.PRF, as specified below.
6.3.2.1 FF3.1-AES
Validity Check The FF3.1-AES algorithm uses a PRF function that uses 32 bits of tweak per round. The tweak bits are exclusive- ORed with the round number, and this value is concatenated with the PRF input. This concatenated result is the input to the underlying block cipher. This requires that the tweak be exactly 64 bits (8 bytes) long, and that half the cipher input fit into the remainder of the AES block, which limits the input of the PRF to 96 bits (12 bytes). Thus, the input to the encryption function is limited to 192 bits (24 bytes); see the table in Section 6.1. Note that, unlike FF1 and FF2.1, only half the tweak is used in any particular Feistel round. This function integrates a tweak management method in order to address a BPS domain separation issue. As explained in Section 5, fixing eight bits of the tweak to a constant value is an efficient countermeasure and requires a 56-bit tweak as input for FF3.1, rather than the 64-bit tweak that was required by BPS. The following function takes a tweak of 56 bits as input and outputs a 64-bit tweak with bits 28-31 and 60-63 set to 0 (see Section 6.2.2).