IPCrypt Encryption Modes
IPCrypt provides four distinct encryption modes, each designed for specific use cases and security requirements. This page explains each mode in detail, including their operation, properties, and appropriate use cases.
Overview of Encryption Modes
IPCrypt offers the following encryption modes:
ipcrypt-deterministic
Format-preserving encryption using AES-128
The deterministic mode always produces the same output for the same input and key, preserving the IP address format.
ipcrypt-nd
Non-deterministic encryption using KIASU-BC with an 8-byte tweak
The non-deterministic mode produces different outputs for the same input and key, preventing correlation attacks.
ipcrypt-ndx
Non-deterministic encryption using AES-XTS with a 16-byte tweak
The extended non-deterministic mode provides maximum security with a larger tweak and output size.
ipcrypt-pfx
Prefix-preserving encryption that maintains network structure
The prefix-preserving mode maintains network relationships in encrypted addresses, enabling network-level analytics while protecting actual network identities.
Feature | Deterministic | Prefix-Preserving (PFX) | Non-Deterministic (ND) | Extended ND (NDX) |
---|---|---|---|---|
Format Preservation | ✓ | ✓ | ✗ | ✗ |
Correlation Protection | ✗ | ✗ | ✓ | ✓ |
Output Size | 16 bytes | 4/16 bytes | 24 bytes | 32 bytes |
Algorithm | AES-128 | Dual AES-128 | KIASU-BC | AES-XTS |
Tweak Size | N/A | N/A | 8 bytes | 16 bytes |
ipcrypt-deterministic Mode
How It Works
Format-preserving encryption using AES-128
The deterministic mode uses AES-128 as a single-block operation to encrypt IP addresses while preserving their format.
+----------------+ +----------------+ +----------------+ | | | | | | | IP Address |---->| Convert to |---->| AES-128 | | (192.168.1.1) | | 16-byte form | | Encryption | | | | | | | +----------------+ +----------------+ +----------------+ | +----------------+ | | | | | 16-byte Key |------+ | | +----------------+ | v +----------------+ +----------------+ | | | | | Encrypted |<----| Convert back | | IP Address | | to IP format | | | | | +----------------+ +----------------+
Process Flow
Key Properties
Use Cases
Code Example
```python from ipcrypt import IPCrypt # Initialize with a 16-byte key key = bytes.fromhex("000102030405060708090a0b0c0d0e0f") ipcrypt = IPCrypt(key) # Encrypt an IPv4 address ip = "192.168.1.1" encrypted_ip = ipcrypt.encrypt_deterministic(ip) print(f"Original IP: {ip}") print(f"Encrypted IP: {encrypted_ip}") # Decrypt the IP address decrypted_ip = ipcrypt.decrypt_deterministic(encrypted_ip) print(f"Decrypted IP: {decrypted_ip}") ```ipcrypt-pfx Mode
How It Works
Prefix-preserving encryption using dual AES-128
The prefix-preserving mode encrypts IP addresses while maintaining network structure. Addresses from the same network produce encrypted addresses that share a common encrypted prefix, enabling network analytics while protecting actual network identities.
+----------------+ +----------------+ +----------------+ | | | | | | | IP Address |---->| Process each |---->| For each bit: | | (192.168.1.1) | | bit position | | Compute PRF | | | | sequentially | | XOR with input | +----------------+ +----------------+ +----------------+ | +----------------+ | | | | | 32-byte Key |------+ | | +----------------+ | v +----------------+ +----------------+ | | | | | Encrypted IP |<----| Maintains | | (Same subnet | | native size | | = same prefix) | | (4 or 16 bytes)| +----------------+ +----------------+
Process Flow
Key Properties
Use Cases
Important Considerations
Code Example
```python from ipcrypt import IPCrypt import os # Initialize with a 32-byte random key key = os.urandom(32) # Generate a secure random 32-byte key ipcrypt = IPCrypt(key) # Encrypt IPv4 addresses from same subnet ip1 = "10.0.0.47" ip2 = "10.0.0.129" encrypted_ip1 = ipcrypt.encrypt_pfx(ip1) encrypted_ip2 = ipcrypt.encrypt_pfx(ip2) print(f"Original: {ip1} -> Encrypted: {encrypted_ip1}") print(f"Original: {ip2} -> Encrypted: {encrypted_ip2}") # Note: Both encrypted IPs will share the same /24 prefix # Decrypt the IP addresses decrypted_ip1 = ipcrypt.decrypt_pfx(encrypted_ip1) print(f"Decrypted: {decrypted_ip1}") # IPv6 example ipv6 = "2001:db8::1" encrypted_ipv6 = ipcrypt.encrypt_pfx(ipv6) print(f"IPv6: {ipv6} -> {encrypted_ipv6}") ```Prefix Preservation Example
The following example demonstrates how addresses from the same network maintain their relationship after encryption:
``` Original Network: 192.168.1.0/24 ├── 192.168.1.10 ├── 192.168.1.25 └── 192.168.1.200 Encrypted (with same key): ├── 87.234.19.147 (shares encrypted /24 prefix) ├── 87.234.19.201 (shares encrypted /24 prefix) └── 87.234.19.42 (shares encrypted /24 prefix) Note: The encrypted prefix (87.234.19.x) is cryptographically transformed and unrecognizable without the key, but the network relationship is preserved. ```ipcrypt-nd Mode
How It Works
Non-deterministic encryption using KIASU-BC with an 8-byte tweak
The non-deterministic (nd) mode uses KIASU-BC, a tweakable block cipher based on AES, with an 8-byte tweak to provide non-deterministic encryption.
+----------------+ +----------------+ +----------------+ | | | | | | | IP Address |---->| Convert to |---->| KIASU-BC | | (192.168.1.1) | | 16-byte form | | Encryption | | | | | | | +----------------+ +----------------+ +----------------+ | +----------------+ | | | | | 16-byte Key |------+ | | +----------------+ | +----------------+ | | | | | 8-byte Tweak |------+ | (random) | +----------------+ | v +----------------+ | | | Encrypted | | 24-byte value | | (tweak+cipher) | +----------------+
Process Flow
Key Properties
Use Cases
Code Example
```python from ipcrypt import IPCrypt import os # Initialize with a 16-byte key key = bytes.fromhex("000102030405060708090a0b0c0d0e0f") ipcrypt = IPCrypt(key) # Generate a random 8-byte tweak tweak = os.urandom(8) # Encrypt an IPv4 address ip = "192.168.1.1" encrypted_ip = ipcrypt.encrypt_nd(ip, tweak) print(f"Original IP: {ip}") print(f"Encrypted IP: {encrypted_ip}") # Decrypt the IP address decrypted_ip = ipcrypt.decrypt_nd(encrypted_ip, tweak) print(f"Decrypted IP: {decrypted_ip}") ```ipcrypt-ndx Mode
How It Works
Non-deterministic encryption using AES-XTS with a 16-byte tweak
The extended non-deterministic (ndx) mode uses AES-XTS, a tweakable block cipher designed for disk encryption, with a 16-byte tweak to provide maximum security.
+----------------+ +----------------+ +----------------+ | | | | | | | IP Address |---->| Convert to |---->| AES-XTS | | (192.168.1.1) | | 16-byte form | | Encryption | | | | | | | +----------------+ +----------------+ +----------------+ | +----------------+ | | | | | 16-byte Key |------+ | | +----------------+ | +----------------+ | | | | | 16-byte Tweak |------+ | (random) | +----------------+ | v +----------------+ | | | Encrypted | | 32-byte value | | (tweak+cipher) | +----------------+
Process Flow
Key Properties
Use Cases
Code Example
```python from ipcrypt import IPCrypt import os # Initialize with a 16-byte key key = bytes.fromhex("000102030405060708090a0b0c0d0e0f") ipcrypt = IPCrypt(key) # Generate a random 16-byte tweak tweak = os.urandom(16) # Encrypt an IPv4 address ip = "192.168.1.1" encrypted_ip = ipcrypt.encrypt_ndx(ip, tweak) print(f"Original IP: {ip}") print(f"Encrypted IP: {encrypted_ip}") # Decrypt the IP address decrypted_ip = ipcrypt.decrypt_ndx(encrypted_ip, tweak) print(f"Decrypted IP: {decrypted_ip}") ```Choosing the Right Mode
Mode Selection Guide
Factors to consider when choosing an encryption mode
When selecting an encryption mode, consider the following factors:
For most applications, the deterministic mode provides a good balance of security and usability. When network analytics are needed, pfx mode preserves subnet relationships. When privacy concerns are paramount, the non-deterministic modes offer stronger protection against correlation attacks.
Mode Comparison
Feature | Deterministic | Prefix-Preserving (PFX) | Non-Deterministic (ND) | Extended ND (NDX) |
---|---|---|---|---|
Underlying Algorithm | AES-128 | Dual AES-128 | KIASU-BC | AES-XTS |
Format Preservation | ✓ | ✓ | ✗ | ✗ |
Correlation Protection | ✗ | ✗ | ✓ | ✓ |
Output Size | 16 bytes | 4/16 bytes | 24 bytes | 32 bytes |
Tweak Size | N/A | N/A | 8 bytes | 16 bytes |
Security Margin | Standard | Beyond Birthday | High | Highest |
Performance | Fastest | Slower (bit-by-bit) | Fast | Moderate |
Recommended Use Case | Logging, Rate Limiting | Network Analytics | Data Sharing | Highest Security Needs |
Implementation Considerations
Implementation Best Practices
Key considerations when implementing IPCrypt
When implementing these encryption modes, keep in mind:
For more information on implementing these modes, see the Code Examples page.