In cryptography, encryption is the process of encoding a message or information in a way that only authorized parties can access it and those who are not authorized cannot.
Encryption Types / Methods
In public-key encryption schemes, the encryption key is published for anyone to use and for encrypting messages. Only the receiving party has access to the decryption key that enables messages to be read. Public-key encryption was first described in a secret document in 1973. Before that, all encryption schemes were symmetric-key (also called private-key).
In symmetric-key schemes, the encryption and decryption keys are the same. Communicating parties must have the same key in order to achieve secure communication.
Triple DES was designed to replace the original Data Encryption Standard (DES) algorithm, which hackers learned to defeat with ease. At one time, Triple DES was the recommended standard and the most widely used symmetric algorithm in the industry.
Triple DES uses three individual keys with 56 bits each. The total key length adds up to 168 bits, but experts say that 112-bits in key strength is more like it.
Though it is slowly being phased out, Triple DES is still a dependable hardware encryption solution for financial services and other industries.
RSA is a public-key encryption algorithm and the standard for encrypting data sent over the internet. It also happens to be one of the methods used in PGP and GPG programs.
Unlike Triple DES, RSA is considered an asymmetric encryption algorithm because it uses a pair of keys. The public key is used to encrypt a message and a private key to decrypt it. It takes attackers quite a bit of time and processing power to break this encryption code.
The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. government and many other organizations.
Although it is extremely efficient in 128-bit form, AES also uses keys of 192 and 256 bits for heavy-duty encryption.
AES is considered resistant to all attacks, with the exception of brute-force attacks, which attempt to decipher messages using all possible combinations in the 128-, 192- or 256-bit cipher. Still, security experts believe that AES will eventually become the standard for encrypting data in the private sector.
There are a number of standards related to cryptography. Here are the following standards for encryption:
- Data Encryption Standard (now obsolete)
- Advanced Encryption Standard
- RSA (the original public-key algorithm)
- Open PGP
File Encryption Overview
File system-level encryption, often called file and folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself.
Disk Encryption Overview
Disk encryption is a technology that protects information by converting it into unreadable code that cannot be deciphered easily by authorized users. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume.
Email Encryption Overview
Email encryption is encryption of email messages designed to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication. Email is not secure and may disclose sensitive information. Most emails are currently transmitted in the clear (not encrypted) form. By means of some available tools, people other than designated recipients can read the email content. Email encryption traditionally uses one of two protocols, either TLS or end-to-end encryption. Within end-to-end encryption, there are several options, including PGP and S/MIME protocols.
Encryption Best Practices
- Know the laws: When it comes to safeguarding the personally identifiable information, organizations must adhere to many overlapping, privacy-related regulations. The top six regulations that impact many organizations include: FERPA, HIPAA, HITECH, COPPA, PCI DSS and state-specific data breach notifications laws.
- Assess the data: A security rule under HIPAA does not explicitly require encryption, but it does state that entities should perform a data risk assessment and implement encryption if the evaluation indicates that encryption would be a “reasonable and appropriate” safeguard. If an organization decides not to encrypt electronic protected health information (ePHI), the institution must document and justify that decision and then implement an “equivalent alternative measure.”
- Determine the required or needed level of encryption: The U.S. Department of Health and Human Services (HHS) turns to the National Institute of Standards and Technology (NIST) for recommended encryption-level practices. HHS and NIST have both produced robust documentation for adhering to HIPAA’s Security Rule. NIST Special Publication 800-111 takes a broad approach to encryption on user devices. In a nutshell, it states that when there is even a remote possibility of risk, encryption needs to be in place. FIPS 140-2, which incorporates AES into its protocols, is an ideal choice. FIPS 140-2 helps education entities ensure that PII is “rendered unusable, unreadable or indecipherable to unauthorized individuals.” A device that meets FIPS 140-2 requirements has a cryptographic erase function that “leverages the encryption of target data by enabling sanitization of the target data’s encryption key, leaving only the cipher text remaining on the media, effectively sanitizing the data.”
- Be mindful of sensitive data transfers and remote access: Encryption must extend beyond laptops and backup drives. Communicating or sending data over the internet needs Transport Layer Security (TLS), a protocol for transmitting data over a network, and AES encryption. When an employee accesses an institution’s local network, a secure VPN connection is essential when ePHI is involved. Also, before putting a handful of student files on a physical external device for transfer between systems or offices, the device must be encrypted and meet FIPS 140-2 requirements to avoid potential violations.
- Note the fine print details: Unfortunately, many schools fail to engage in proper due diligence in reviewing third-party services’ privacy and data-security policies, and inadvertently authorize data collection and data-mining practices that parents/students find unacceptable or violate FERPA. Regulatory compliance entails much more than simply password-protecting an office’s workstations. It requires using encryption to protect data-at-rest when stored on school systems or removable media device. Remember that data at rest that is outside the school’s firewall (or “in the wild”) is the top source of security breaches.