Read time: 9 minutes

Asymmetric and symmetric encryptions are the types of encryptions used in cryptography. There is only one key involved in symmetric encryption, which is used for both encryption and decryption. The key has to be shared among the parties involved who wish to encrypt and decrypt data. In comparison, asymmetric encryption uses two separate keys which are related to each other mathematically. The keys are called Private keys and public keys. Generally, a certificate is associated with a public key, which holds the information about the public key owner. The certificate contains information such as name, organization name, algorithms used, etc. Even though symmetric and asymmetric encryption seems similar, symmetric encryption is comparably faster than asymmetric encryption; thus, performance-wise, asymmetric encryption is slower, which is why symmetric encryption is often used in conjunction with asymmetric encryption. We will explore more about this on the use cases discussed below.  

Symmetric Encryption

As discussed above, symmetric encryption uses the same key for encryption and decryption, so the sender would somehow send the key to the receiver to decrypt the encrypted data. The key involved has to be protected and transferred securely. If the key is lost, then the data cannot be decrypted, and if the key gets compromised, that will compromise the encryption. 

Thus, symmetric keys are transferred among parties using asymmetric encryption, ensuring that the symmetric key remains encrypted. Two different keys are now involved in encrypting and decrypting the data.  

Symmetric encryption is comparably much faster than asymmetric encryption, which is why it is still used massively today.  

Asymmetric Encryption

Asymmetric encryption uses two separate keys which are mathematically involved with each other. The first key is called the private key. The private key is the one that is heavily protected. Often this key remains in an HSM or an air-gapped computer to ensure the protection of the private key. The public key is derived from the private key and can be distributed. A certificate is often created with a public key containing information about the key’s owner and a few details about the key itself.  

The key pair relies on prime numbers of extended length. The public and private keys are computed simultaneously, using the same mathematical operation, namely trapdoor functions. The most characteristic of trapdoor functions is that they’re simple to calculate in one direction, nevertheless troublesome calculating in the reverse order. Using a private key, we can find the public key, but the private key cannot be obtained using the public key.  

Even though asymmetric encryption provides more protection to the keys, they are comparatively slower than symmetric encryption. For this reason, asymmetric encryption is often used to exchange the secret key, which can be used to establish symmetric encryption for faster data transfer and make encryption and decryption of the data faster. 

Use Cases

Symmetric Encryption
Symmetric Encryption uses one key for encryption and decryption, which is why it is best used to encrypt and decrypt local data. Some of the use cases involving symmetric encryption can be: 

  •  Data at rest: Data at rest refers to data stored in a physical drive and is not transferred among devices. This data can be stored in hard drives, SSD, flash drives, etc. Data at rest often involves data that can be valuable to attackers as it usually contains customer information, employee information, trade secrets, Intellectual Properties, etc. To be able to protect this data adequately, organizations use symmetric encryption.
    One effective way to encrypt all the data in a physical drive is to encrypt the drive itself. This is called whole disk or full disk encryption, which has fewer benefits than partial or folder encryption. Many files (such as Word files) create a temporary file while it is opened. This temporary file can remain unencrypted. Many Linux distribution does provide full disk encryption while installing the operating system, and Microsoft delivers BitLocker Drive Encryption for Windows. Full drive encryption does leave the boot volume unencrypted for the operating system to boot, but every other volume, including swap space and temporary files, remains encrypted.
  • Banking and Payment Industry: The banking and Payment Industry is one of the most secure industries, and there are many compliances involved in keeping it safe. Nevertheless, it is also one of the busiest industries, which requires them to be fast. Symmetric encryption provides fast encryption and decryption of a large amount of data, which includes the transaction. It can often contain Personal Identifiable Information (PII), which needs to be protected for being compliant with PCI DSS and preventing Identity Theft. They also need to ensure the identity of the user and the authenticity of the transactions fast. This is one of the reasons why the banking industry uses symmetric encryption.

Asymmetric Encryption 
Asymmetric Encryption is slower than symmetric encryption, so it is used for small amounts of data, such as exchanging secret keys or providing digital identities.

As organizations move to the digital age, digital signatures become crucial to identifying authentic data and ensuring someone’s identity. Digital signatures provide that the data involved has not been modified and if the data (which can include PDF, applications, etc.) is authentic.  The recipient of signed data will use a digital signature to demonstrate to a 3rd party that the claimed individual generated the signature. This is often called non-repudiation since the individual cannot simply repudiate the signature at a later time.

The following steps explain how a digital signature is used to exchange information between a sender and a receiver:

  1. First, the data that would be transferred is hashed using some hashing algorithms such as SHA-256. Hashing is a one-way function and produces a unique value for unique input. The original data cannot be obtained using the hash value. This ensures data integrity, as if the data is modified, the corresponding hash value will also change.
  2. The hash is then encrypted using the sender’s private key. This creates a digital signature.
  3. The digital signature would now be attached and sent to the sender.
  4. After receiving the data and the digital signature, the signature is decrypted using the sender’s public key, which provides the hash value generated on the first step.
  5. The receiver then hashes the obtained data.
  6. If the hash obtained on step 5 is equal to the hash receiver got on step 4, it ensured data integrity. If, however, the hashes do not match, then the data has been modified.

Digital signatures are meant to be used in emails, transferring data, distributing software, and other applications, requiring data integrity and ensuring the authenticity of the data origin.

Use case of Asymmetric and Symmetric Encryption

Asymmetric and symmetric encryption is often used in combination with each other to maintain a balance of performance, secure transfer, identification, etc. A single one may not be able to achieve alone. 

Use case 1: Messaging Applications

Many messaging applications such as WhatsApp, telegram, Signal provide end-to-end encryption to provide confidentiality of the users involved and authenticate users to communicate with each other securely. 

In end-to-end encryption, the messages and calls are encrypted so anyone apart from the users would not obtain plaintext information. Only the data is encrypted, but the headers, trailers, and routing information of the messages remain unencrypted.

One of the best features is that even if the key is somehow compromised from the user’s physical device, that key cannot be used to decrypt any previously encrypted text.

To be able to achieve this, both symmetric and asymmetric encryptions are used. Asymmetric encryption is used to initiate the conversation among the users, which involves exchanging secret keys for symmetric encryption. After the communication is established and a secret key is exchanged, symmetric encryption is used for the whole duration of the communication.

First, when the application is installed on the user’s end, the key pair is created. The user’s public key is registered and stored in the application server, but the private key remains in the user’s device. The user who wants to initiate the conversation obtains the receiver’s public key from the application server. Using the public key, the sender sends an encrypted message to the receiver. The encrypted message contains parameters to establish a symmetric session among the parties involved. The receiver would use their private key to decrypt the message and develop symmetric encryption between the sender and the receiver. Once the session has been established, clients exchange messages protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication. The encrypted session would be recreated only when the application is re-installed, or the device is changed.  

Use case 2: HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication.  HTTPS is specified by RFC 2818 (May 2000) and uses port 443 by default instead of HTTP’s port 80. 

The HTTPS protocol makes it possible for website users to transmit sensitive data such as credit card numbers, banking information, and login credentials securely over the internet. For this reason, HTTPS is essential for securing online activities such as shopping, banking, and remote work. HTTPS is now the standard protocol for all websites, whether they exchange sensitive data with users. 

An HTTPS connection between a client and a server uses both symmetric and asymmetric encryption. Like the previous one, asymmetric encryption is first used to establish communication and exchange secrets, and then symmetric encryption is used for the rest of the communication. The key used for symmetric encryption is called session keys. Session keys are randomly generated when a session is created and are used for that particular session only.  The steps involved in HTTPS are: 

  1. When the client tried to connect to the server, the server first sends a TLS certificate. The respective CA would verify the certificate to ensure the authenticity of the certificate and the server involved.
  2. The certificate also contains cipher suits and the maximum TLS version supported.
  3. After the certificate is verified and the algorithms and TLS versions are set to be the maximum among the client and the server, the client generates a session key. The session key is encrypted using the server’s public key and is sent to the server.
  4. The server decrypts the session key using its private key.
  5. The session key is then used for symmetric encryption, and data is exchanged among the server and the client using the session key.
  6. The session continues with only symmetric encryption.

Conclusion

Symmetric encryption is indeed one of the fastest encryption techniques, but the secret key needs to be exchanged securely to be effective. Asymmetric encryption is thus used to exchange the key involved for symmetric encryption. In both use cases, asymmetric encryption is used briefly to exchange parameters and establish symmetric encryption used for the rest of the communication.  Being slow and resource exhaustive, asymmetric encryption is only used to cover the shortcomings of symmetric encryption. Thus, both of them are used together to achieve ideal secure communication, maintain privacy, achieve authenticity, data integrity, and proper authentication. 

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 5 minutes 2 seconds

Organizations nowadays are storing and performing computation of the data on the cloud instead of handling themselves. Cloud Service Providers (CSPs) provide these services at an affordable cost and low maintenance. But to ensure compliance and retain privacy, organizations need to transfer the data in an encrypted format, which does ensure the confidentiality of the data. However, once the data reaches the cloud, the CSP has to decrypt the data to perform operation or computation.

Decrypting the data to the CSP loses the data’s confidentiality, which may concern the organization for not being compliant to data privacy regulations such as GDPR, FIPS, PCI DSS,  CCPA, etc.

What is Homomorphic Encryption?

Homomorphic Encryption makes it possible to do computation while the data remains encrypted. This will ensure the data remains confidential while it is under process, which provides CSPs and other untrusted environments to accomplish their goals. At the same time, we retain the confidentiality of the data.

Like other asymmetric encryptions, homomorphic encryption is encrypted using a public key and can only be decrypted by the respective private key. But while the data is encrypted, operations can be performed on the data, which retains confidentiality, and helps organizations achieve compliance even when using untrusted environments.

Why do we need Homomorphic Encryption?

Data creation has been increased tremendously in recent times, sent/stored in multiple environments belonging to other parties such as CSPs or other third-party organizations. From startups to big organizations, everyone uses CSPs to store or process data, where tools such as Big Query are used for data processing.

CSPs do provide some control over the data customers store in their environments, but those controls depend on CSPs. While users can encrypt and store data on CSPs, conducting computation on the data would be limited. Thus, standard encryption is only limited to data storage alone and does not provide any meaningful analysis that can be used.

To be able to process data while ensuring data privacy, researchers are focusing on privacy-enabled computation. Homomorphic Encryption (HE) is one of the promising approaches in this direction.

Types of Homomorphic Encryption

Homomorphic Encryption allows computation on encrypted data without decrypting. Mathematical operations that can be performed on the ciphertext differentiates the types of Homomorphic Encryptions.
They are mainly of two types:

  1. Partial Homomorphic Encryption (PHE) (supports either addition/multiplication, but not both)
  2. Fully Homomorphic Encryption (FHE) (supports both addition and multiplication)

Partial Homomorphic Encryption such as RSA and Paillier cryptosystems does support additive and multiplicative homomorphism. In 2009, Craig Gentry proposed an FHE scheme based on lattices for the first time. An FHE scheme usually supports addition and multiplication ciphertexts as follows:

HE(a+b) = HE(a) + HE(b) and HE(a*b) = HE(a) * HE(b)

Addition/Multiplication of plaintext is equal to the addition/multiplication of two ciphertexts.

Applications

HE makes it possible to achieve privacy-preserving computation in almost every scenario. Some of those include:

  1. Private Search

    Search Engines rely on ads to generate revenue. While serving searches to their users, search engines get a better view of the user’s preferences. This does help them provide customized ads for the user they serve. Homomorphic encryption does solve the problem. Search Engines can crawl the encrypted data, serve them as the algorithm is designed to, and serve the user with encrypted data. The user would get the desired result, while the search engines remain unaware of the data requested, which keeps preferences private and more challenging to serve ads.

  2. Encrypted Databases

    In any cyber-attacks, databases are often the most crucial infrastructure to protect. It may cost an organization a considerable fine in compliance and have a bad reputation to go along. Several security measures are kept in place, which includes Encrypting a database. In case of a breach, the database would remain encrypted and decrypted by a specific key, preventing unauthorized access to the database.
    If we employ the standard encryption, the encrypted database will not allow any operations on the records. We can use deterministic encryption, order-preserving encryption, and order-revealing encryption to support the encrypted database. But these would lead to leakages, such as memory access patterns and search patterns.
    With Homomorphic Encryption, it is possible to encrypt data in the database to obtain confidentiality, while we can also perform operations and computation on the data. Only authorized users with the key to decrypt the database can access the data in the database.

  3. Computation on Cloud

    Cloud Computing saves money and reduces maintenance that an organization needs to maintain its infrastructure for the services offered. Organizations can lease cloud infrastructure on a need basis to run their applications. CSPs also provides the ability to scale up according to the load on the infrastructure. Since the service providers typically manage clouds, organizations require the CSP to be compliant and get better privacy and security for their organization.
    If we choose to keep the data encrypted on the cloud and perform operations on those encrypted data, it will make CSP’s compliance and security measures less relevant. CSPs can maintain the infrastructure that store and process the encrypted data, while never accessing the plaintext.

Limitations and Drawbacks

Homomorphic Encryption computations are slow, and only a finite number of operations can be performed on the encrypted data. FHE based computation is at least 106 times slower than computation on the plaintext.

Homomorphic Encryption is also not feasible for multiple users. If we have a database, which we would need multiple users to access, we would need to create a separate database for every user, which is encrypted using the user’s public key. This would become impractical if the number of users increases or the size of the database increases.

Conclusion

Homomorphic Encryption in the current state is computationally expensive and practically inefficient. It can certainly be used to encrypt data, while we can perform different computations on the data. HE enables privacy-preserving computation, which helps us work with untrusted environments while maintaining the data’s confidentiality. Check out Format Preserving Encryption if interested in privacy-preserving computations.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 04 minutes 22 seconds

Customers and Cloud Service Provider (CSP) share the responsibility of security and compliance. Thus, the organization would have the freedom to have architect their security and compliance needs, according to the services they utilize from the CSP and the services they intend to achieve. CSP has the responsibility to provide services securely and to provide physical security of the cloud. If, however, a customer opts for Software-as-a-service, then the CSP provides standard compliance. Still, the organization has to check if it meets its regulations and compliance levels to strive to achieve. All Cloud services (such ad different forms of databases) are not created equal. Policies and procedures should be agreed upon between CSP and client for all security requirements and operations responsibility.

Let’s dive into particular compliance and regulations maintained within the industry.

PCI DSS on Cloud

Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards formed in 2004 to secure credit and debit card transactions against data theft and fraud. PCI DSS is a set of compliance, which is a requirement for any business.

Let’s suppose payment card data is stored, processed, or transmitted to a cloud environment. In that case, PCI DSS will apply to that environment and will involve validation of CSP’s infrastructure and the client’s usage of that environment.

PCI DSS Requirement Responsibility assignment for management of controls
IaaS PaaS SaaS
Install and maintain a firewall configuration to protect cardholder data Client and CSP Client and CSP CSP
Do not use vendor-supplied default for system passwords and other security parameters Client and CSP Client and CSP CSP
Protect stored cardholder data Client and CSP Client and CSP CSP
Encrypt transmission of cardholder data across an open, public network Client Client and CSP CSP
Use and regularly update anti-virus software or programs Client Client and CSP CSP
Develop and maintain secure systems and applications Client and CSP Client and CSP Client and CSP
Restrict access to cardholder data by business need to know Client and CSP Client and CSP Client and CSP
Assign a unique ID to each person with computer access Client and CSP Client and CSP Client and CSP
Restrict physical access to cardholder data CSP CSP CSP
Track and monitor all access to network resources and cardholder data Client and CSP Client and CSP CSP
Regularly test security systems and processes Client and CSP Client and CSP CSP
Maintain a policy that addresses information security for all personnel Client and CSP Client and CSP Client and CSP

GDPR

General Data Protection Regulation (GDPR) is the core of Europe’s digital privacy legislation. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015.GDPR applies to all companies, which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions. Critical Requirements of GDPR are:

  1. Lawful, fair, and transparent processing

  2. Limitation of purpose, data, and storage

    Collect only necessary information and discard any personal information after processing is complete

  3. Data subject rights

    A customer can ask what data an organization has on them and the intended use of the data.

  4. Consent

    Organizations must ask for the consent of the customer if personal data is processed beyond legitimate purposes. The customer can also remove consent anytime they wish.

  5. Personal data breaches

    Based on the severity and regulatory, the customer must be informed within 72 hours of identifying the breach.

  6. Privacy by Design

    Organizations should incorporate organizational and technical mechanisms to protect personal data in the design of new systems and processes

  7. Data Protection Impact Assessment

    Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.

  8. Data transfers

    Organizations have to ensure personal data is protected and GDPR requirements are respected, even if a third party does it

  9. Data Protection Officer

    When there is significant personal data processing in an organization, the organization should assign a Data Protection Officer.

  10. Awareness and training

    Organizations must create awareness among employees about crucial GDPR requirements

To achieve GDPR on the cloud, we need to take these additional steps

  • Organizations should know the location where the data is stored and processed by CSP
  • Organizations should know which CSP and cloud apps meet their security standards. Organizations should take adequate security measures to protect personal data from loss, alteration, and unauthorized processing.
  • Organizations should have a data processing agreement with CSP and cloud apps they shall be using.
  • Organizations should only collect necessary data that it would need and should limit the processing of personal data any further.
  • Organizations should ensure that data processing agreement is respected, and personal data is not used for other purposes by CSP or cloud apps.
  • Organizations should be able to erase data at will from all data sources in CSP.

Conclusion

Regulations and Compliances depend on the country organizations operate in. It is essential to research CSP and the regulations and compliance they are following. You can find more information about the CSPs on their respective websites:

If an organization fails to abide by the set of regulations applicable in the country or region. In that case, they may face fines and may lose the ability to operate in that country.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

General Data Protection Regulation (GDPR) is the core of Europe’s digital privacy legislation. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed upon in December 2015.

GDPR applies to all companies which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions.

Critical Requirements of GDPR are:

  1. Lawful, fair, and transparent processing
  2. Limitation of purpose, data, and storage
    Collect only necessary information and discard any personal information after processing is complete
  3. Data subject rights
    A customer can ask what data an organization has on them and the intended use of the data.
  4. Consent
    Organizations must ask for the consent of the customer if personal data is processed beyond legitimate purposes. The customer can also remove consent anytime they wish.
  5. Personal data breaches
    Based on the severity and regulatory, the customer must be informed within 72 hours of identifying the breach.
  6. Privacy by Design
    Organizations should incorporate organizational and technical mechanisms to protect personal data in the design of new systems and processes
  7. Data Protection Impact Assessment
    Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.
  8. Data transfers
    Organizations have to ensure personal data is protected and GDPR requirements are respected, even if a third party does it
  9. Data Protection Officer
    When there is significant personal data processing in an organization, the organization should assign a Data Protection Officer.
  10. Awareness and training
    Organizations must create awareness among employees about crucial GDPR requirements

To achieve GDPR on the cloud, we need to take these additional steps

  1. Organizations should know the location where the data is stored and processed by CSP
  2. Organizations should know which CSP and cloud apps meet their security standards. Organizations should take adequate security measures to protect personal data from loss, alteration, and unauthorized processing.
  3. Organizations should have a data processing agreement with CSP and cloud apps they shall be using.
  4. Organizations should only collect the necessary data that it would need and should limit the processing of personal data any further.
  5. Organizations should ensure that data processing agreement is respected, and personal data is not used for other purposes by CSP or cloud apps.
  6. Organizations should be able to erase data at will from all data sources in CSP.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

What is Personally Identifiable Information (PII)?

The digital age of today is powered by customer and consumer data: data is the new currency. Provided it is collected through consent and transparency, consumer data is the key for enterprises to create value for their consumers, for example through personalization and transformed experiences. Among the various attributes of consumer data are those which can be used to uniquely identify the consumer – the set of such data is called Personally Identifiable Information (PII). Examples of PII include name, email address, telephone number, address, and other attributes related with the individual’s demographic, financial, health and any other personal details.

The need for enterprises to protect PII

With regulations such as the California Consumer Protection Act (CCPA) in the USA, General Data Protection Regulation (GDPR) in Europe and similar ones in other parts of the world, enterprises are under increasing legal obligations to protect PII data. As consumer awareness increases, each data breach causes a significant dent in consumer trust and consequently, the organization’s brand and reputation. However, it’s not just about brand and reputation: recent research indicates that each data breach has a financial impact of $4 million. With threats and vulnerabilities constantly on the rise, the need for enterprises to protect PII data is more today than ever before.

Encryption of PII Data

Encryption is one of the proven ways to protect PII data. Once consumer data is encrypted, the risk of a data breach can be mitigated to a large extent, and the impact of the breach can be contained – since the stolen data will be of no use to the attacker in an encrypted form. Apart from risk mitigation, PII data encryption is also necessary from a compliance perspective, with regulations such as CCPA and GDPR mentioned earlier, mandating such encryption.

What to encrypt?

The first step in PII data encryption is to decide what data to encrypt: and data privacy regulations offer a good starting point. For example, the HIPAA (Health Insurance Portability and Accountability Act) regulations in the US defines the patient information that needs to be encrypted, including treatment information. One point to note is that while regulations indicate what data is to be encrypted, they leave the choice of the encryption technology to the enterprise.

Locating the data

Once the data to be encrypted is identified, the next step is in locating the data across the enterprise, as a part of a data discovery exercise. This is essential because PII data could be stored in multiple applications, databases, and file systems across the enterprise, or in the cloud. The data discovery exercise typically involves an application and system portfolio study or assessment, along with the use of data discovery tools.

Encryption Technologies & Standards

The next step is the actual encryption of the data. There are multiple encryption technologies and standards available and let’s take a look at the most popular ones.

Advanced Encryption Standard (AES):
AES is one of the best encryption options primarily due to its strength and widespread acceptability. As one of the strongest encryption technologies available, AES enjoys widespread acceptability across regulations, enterprises, credit card issuers, and government agencies. AES is also used in the Pretty Good Privacy (PGP) standard which is used by a large number of banking and financial services institutions. The National Institute of Standards and Technology (NIST) recommends AES as the highest standard for encryption, with three different key sizes: 128 bit, 192 bit, and 256 bits.

RSA:
This is an encryption standard named after its three inventors: Rivest, Shamir and Adleman. The strength of RSA is derived from the fact that prime factorization of very large numbers is computationally extremely difficult with existing hardware and compute resources. RSA has become popular since it can help assure the confidentiality, integrity, authenticity, and non-repudiation of data. Key lengths in RSA are very long at 1024 or 2048 bits and this is another reason for RSA’s strength. With these key lengths, the algorithm however is relatively slow and therefore one application of RSA is to use it for key encryption instead of direct data encryption. Another limitation of RSA is that as computers get more powerful, key lengths need to get longer and longer in order to stay ahead of brute force attempts at prime factorization.

Elliptic Curve Cryptography (ECC):
This is emerging as a popular alternative to RSA due to its advantages of speed, smaller key sizes, and cryptographic efficiency. ECC is also a good option for mobile devices due to its lower requirements on compute power and battery use. The algorithm is based on algebraic equations that represent elliptic curves. Keys generated through this approach are mathematically several orders of magnitude stronger than the prime factorization approach of RSA. For example, a 256 bit ECC key has the same strength as a 3072 bit RSA key.

SSL/TLS:
The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS) have now become mainstream with web servers and browsers being a familiar example of their usage. With PII data often being sent over the network from client to server, from one application to another and from one server to another, communication channel encryption using SSL/TLS is critical to avoid “man in the middle” attacks. At the heart of SSL/TLS is a handshake protocol between the two endpoints and secured using asymmetric cryptography, which is used to generate a session key that is valid only for that communication session. The rest of the communication over the channel is encrypted using a symmetric cryptography approach, with this session key used by both endpoints. The SSL/TLS protocol ensures both security as well as performance and has become the de-facto encryption standard for data in motion not just between a web browser and server, but across any two endpoints.

Key Management:
The ultimate success of any data encryption technology does not depend on the algorithms, hardware and software used: it depends on how well the private keys used for encryption are managed. The fundamental requirement for key management is to separate the encrypted data and the encryption keys into distinct physical locations. Options for key management include Hardware Security Modules (HSM), Virtual appliances, and Cloud key management services.

Key Takeaways

Any enterprise that handles personally identifiable information (PII) of consumers is also responsible for protecting that data. Data breaches pose three significant business risks to any organization: loss of consumer trust, direct financial impact, and legal / regulatory implications and penalties. Encryption technologies offer a proven means for enterprises to protect PII data and address all three risks.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

California voted and signed in the California Consumer Privacy Act in June 2018, which will go into effect January 1, 2020. California is no stranger to privacy laws. The state of California has introduced privacy laws such as the California Shine the Light Law, California Invasion Privacy Act, California Online Privacy Protection Act, California Anti-Phishing Act of 2005, Privacy Rights for California Minors in the Digital World, and the California Electronic Communications Privacy Act. However, the California Consumer Privacy Act is harsher than any of the previous laws enacted by the state of California rivaling the most recent General Data Protection Regulation of the EU. The CCPA does not cover all that is required by the GDPR, but creates the strictest privacy laws the United States has ever seen.

Personal information of individuals is at an all-time high risk. The misuse of personal data and privacy rights is now a primary concern worldwide. The California Consumer Privacy Act introduces never before seen consumer privacy regulations in America. The legislation aims to protect personal information by creating a broad definition: Personal Information (PI) is “information that identifies, relates to, describes, and is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” stated by the California Consumer Privacy Act. The legislation addresses organizations using, compiling, and distributing personal information. By doing so, the act aims to protect California consumers by enforcing the protection of personal information and forcing organizations to respect the privacy of citizens. The organizations will have to comply with the CCPA for those operating in California or do business within California if they fall under one of the three categories:

1. Annual gross revenue is greater than $25 million, 2. Buy, receive, or sell PI of 50,000 or more consumers, households or devices, or 3. 50 percent or more of annual revenue by selling California-based consumers’ PI. If these regulations are not followed, fines will be made by the Attorneys General up to $7,500 per international violation and lawsuits can result in $100-750 per consumer per incident.

The California Consumer Privacy act aims for the consumer to retain ownership, power, and security of your personal information if you are a citizen of the state of California by establishing the significant rights to consumers such as:

• The right to know what and where personal information is being collected, sold and disclosed about them
• The ability to deny the sale of personal information.
• The right to have equal service and price, if one decides to exercise their privacy rights.
• The right to be able to have personal information deleted

While the CCPA and the GDPR are similar, they have a fair amount differences in regulations. In the table below, it will go into comparison on showing both similarities and differences within both policies. For organizations that comply with GDPR, you will be forced to make further provisions to comply with the CCPA as well.

Fines√√ (Will be Higher)

Major Requirements California Consumer Privacy Act General Protection Data Regulation
Encrypted/Redacted Personal Data
Privacy by Design X
Compliance by all businesses collecting/personal data X
Limit sale of Personal Data X
Reporting of Data Breaches X
Options for Minors
Policies for Cookiess X
Processing Bans X
Equal service and price, if exercising their privacy rights. X

About the author:

Fazel Ahsan is a cybersecurity expert specializing in the Encryption space. He is currently working as an Encryption Consultant at Encryption Consulting LLC.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Data Privacy regulations and compliance are becoming a driving force behind the need for Encryption, Tokenization, and Masking. In 2018, Organizations are dealing with threats from cyber-attacks at an all-time high yet now; organizations must adhere to the latest laws and regulations set nationally and globally. Further regulations and compliance are on their way, but current guidelines set in place already are affecting all industries that will face major fines if not met. Many of these guidelines are regarding private data protection at rest, data in use, and data in motion. As of 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have passed Data Privacy laws. Organizations operating within the U.S must now also comply with European regulations. The EU has implemented the most recent General Data Protection Regulation enforced in May of 2018. By the usage of encryption procedures and technologies, organizations will be able to adhere to the many complex data privacy and security regulations while bolstering their overall security from cyber attacks.

The table below exemplifies how these technologies can help you meet the requirements:

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk