The National Institute of Standards and Technology (NIST) has published a new computer security standard that will protect financial information and could also be used to make personal health records more anonymous. NIST Special Publication (SP) 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption describes two algorithms for format-preserving encryption (FPE). Previous NIST-approved data encryption methods were designed for binary data, so they weren’t well-suited for credit cards, which are typically 16 digits long. The new algorithms take any sequence of numbers (or symbols) and produce a result with the same length as the original. These new techniques were vetted during public comment periods on the standard in 2009 and 2013.
An FPE-encrypted credit card number looks like a credit card number. This allows FPE to be retrofitted to the existing, installed base of devices.
The main goal for the new data encryption techniques is to protect credit card numbers, however NIST has also suggested that the algorithms could also be used to protect personal medical information. The FPE methods could help anonymize medical records that are stored in research databases, which often identify patients by their social security numbers. NIST SP 800-38G is now available online, free of charge at http://dx.doi.org/10.6028/NIST.SP.800-38G.