Cisco Systems is trying out a new experimental cipher aimed at reducing the bandwidth and IT storage overhead for some web applications.
“Traditional block ciphers work on fixed blocks of data—as an example, AES is well-defined for 128/192/256 bits,” wrote Cisco engineer, Sashank Dara, in a blog. “But one of the issues is the need for padding—so if you need to encrypt small amounts of data, you may end with a huge difference in input vs. output size. As an example, using AES/128 on ECB mode to encrypt an IPv4 address results in an input size of 32 bits, but an output size of 128 bits. This may not be desired for some applications.”
Cisco has designed the Flexible Naor and Reingold (FNR) proposed encryption scheme for encrypting objects that come in under 128 bits, like IPv4 addresses, MAC addresses, arbitrary strings, etc., while preserving their input lengths. The demo application that the company is showing off – both the specification and the source code have been made public – is for the encryption of IPv4 addresses (the cipher preserves their formats as well if needed).
“Such length-preserving encryption would be useful when encrypting sensitive fields of rigid packet formats, database columns of legacy systems, etc. in order to avoid any re-engineering efforts for privacy preservation,” Dara said.
Specifically, when FNR is used in ECB mode, it realizes a deterministic encryption scheme.
“Like all deterministic encryption methods, this does not provide semantic security, but determinism is needed in situations where anonymizing telemetry and log data (especially in cloud-based network monitoring scenarios) is necessary,” noted Dara. “This also lends itself nicely to achieving searchable encryption operations such as provided the cryptdb project. Due to the length preserving nature in FNR, it is a better fit in some scenarios than cryptdb, as the cryptdb method expands the data size, resulting in bandwidth and storage savings.”
FNR is still an experimental block cipher, not ready for production yet, and the company is waiting for feedback from the open-source community to improve upon its initial design.