I Object! Common Objections to Format-Preserving Encryption Debunked

by in Security

Guest post by Luther Martin, Micro Focus Distinguished Technologist

Richard Thaler was recently awarded the 2017 Nobel Prize in Economics for his work in behavioral economics – essentially for understanding how people don’t think and act rationally. His research was initially opposed by lots of economists. After all, that consumers and producers act rationally is a key part of the economic models that you learn in ECON 101, despite the preponderance of evidence that suggests that we really don’t act that way.

I_Object.jpgIn his book Misbehaving, Thaler describes how he learned to deal with the standard objections that economists would have to his work, and it’s based on an old joke. In this joke, a convict is sentenced to life imprisonment. His fellow prisoners have been there so long that they’ve memorized a book of 101 jokes and now just refer to them by number instead of telling them. “Fifty-five!” one will call out, and the rest will laugh, etc.

Based on this joke, Thaler would start his talks about behavioral economics with a list of the standard objections, and then suggest that the economists present could then refer to them by number to save time. So instead of stating the full objection, an efficient economist could just say, “Objection number two!” later in Thaler’s talk.

I might have copied this idea when format-preserving encryption (FPE) was a new idea. (And it might even have been based on Thaler’s idea.) There was a fairly short list of standard objections that people would come up with after hearing about FPE for the first time, all of which we had considered and found ways to handle. So at the beginning of talks about FPE I would mention the old joke, list the common objections and suggest that just saying, “Objection three!” later in the talk would be more efficient for everyone involved. And although the slide that I would show at this point didn’t say it, I would say something like, “Here are the common objections to FPE, all of which we’ve already considered and developed ways to handle” at that point, such as how format-preserving encryption can allow for agencies to conduct their work without systems slowing down or breaking altogether.

It seemed to work well. FPE has become a very successful technology.  It’s widely used in the payments industry, and if you use your credit card in a brick-and-mortar store, there’s a good chance that FPE is being used to protect your credit card number from hackers. And FPE has even been recognized by the US government – it’s now allowed for use under FIPS 140-2, “Security Requirements for Cryptographic Modules,” the world’s leading standard for encryption.

I don’t think that blatantly copying Thaler’s way to handle objections was a key part of making this happen, but it probably didn’t hurt. It certainly did save a bit of time. 


About the Author
Luther Martin, Micro Focus Distinguished Technologist, is a frequent contributor to articles and blogs. Recent articles include The Security of Cryptography and the Wisdom of Crowds, in the ISSA Journal, The dangers of implementing blockchain technology in Information Age, and Data-centric security changes the vulnerability game and Is quantum computing the end of security as we know it? In Tech Beacon Magazine.


Data security and encryption