# Encryption Algorithms

Security is top of mind for anyone in IT these days. It must be, given that Gartner estimates that spending on information security and risk management will total $172 billion in 2022, up from $155 billion in 2021. While there are plenty of technologies you can buy to secure your data, encryption is one aspect of security technology that every computer user should understand.

## Ciphers (?)

- Ciphers are algorithms used to encrypt or decrypt the data.

- Block ciphers: Deterministic algorithm operating on block (group of bits) of fixed size with an unvarying transformation specified by a symmetric key. Most modern ciphers are block ciphers. These are widely used to encrypt bulk data. Examples includes DES, AES, IDEA, etc.
- Stream ciphers: Symmetric key ciphers are plaintext digits combined with a key stream (pseudorandom cipher digit stream). Here, the user applies the key to each bit, one at a time. Examples includes RC4, SEAL, etc.

**Encryption Algorithms**

## Data Encryption Standard (DES)

The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control of a 56-bit key.

DES is the archetypal block cipher – an algorithm that takes a fixed-length string of plaintext bits and transforms it into a ciphertext bitstring of the same length.

Due to the inherent weakness of DES with today’s technologies, some organizations repeat the process three times (3DES) for added strength, until they can afford to update their equipment to AES capabilities.

## Advanced Encryption Standard (AES)

### The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. government and many other organizations.

Although it is extremely efficient in 128-bit form, AES encryption also uses keys of 192 and 256 bits for heavy-duty encryption.

AES is considered resistant to all attacks, with the exception of brute-force attacks, which attempt to decipher messages using all possible combinations in the 128-, 192- or 256-bit cipher. Still, security experts believe that AES will eventually become the standard for encrypting data in the private sector.

## RSA (Rivest Shamir Adleman)

RSA is an Internet encryption and authentication system that uses an algorithm developed by Ron Rivest, Adi Shamir, and Leonard Adleman.

RSA encryption is widely used and is one of the de-facto encryption standard.

It uses modular arithmetic and elementary number theories to perform computations using two large prime numbers.

## Message Digest (One-way Hash) Functions

- Hash functions calculate a unique fixed-size bit string representation called a message digest of any arbitrary block of information.
- If any given bit of the function’s input is changed, every output bit has a 50 percent chance of changing.
- It is computationally infeasible to have two files with the same message digest value.
- Note: Message digests are also called one-way hash functions because they cannot be reversed.

- Message digest functions distill the information contained in a file (small or large) into a single fixed-length number, typically between 128 and 256 bits.
- If any given bit of the function’s input is changed, every output bit has a 50% chance of changing.

## Message Digest Function: MD5

- MD5 algorithm takes a message of arbitrary length as input and outputs a 128-bit fingerprint or message digest of the input.
- MD5 hash is a 32-digit hexadecimal number.
- MD5 is not collision resistant, use of latest algorithms such as SHA-2 and SHA-3 is recommended.
- It is still deployed for digital signature applications, file integrity checking and storing passwords.

`echo "There is CHF1500 in the blue bo" | md5sum`

`e41a323bdf20eadafd3f0e4f72055d36`

## Secure Hashing Algorithm (SHA)

- It is an algorithm for generating cryptographically secure one-way hash, published by the National Institute of Standards and Technology as a U.S. Federal Information Processing Standard.
- SHA1: It produces a 160-bit digest from a message with a maximum length of (2^64-1) bits, and resembles the MD5 algorithm.
- SHA2: It is a family of two similar hash functions, with different block sizes, namely SHA-256 that uses 32-bit words and SHA-512 that uses 64-bit words.
- SHA3: SHA-3 uses the sponge construction in which message blocks are XORed into the initial bits of the state, which is then invertibly permuted.

**Encryption Best Practices **

- Know the laws: When it comes to safeguarding the personally identifiable information, organizations must adhere to many overlapping, privacy-related regulations. The top six regulations that impact many organizations include: FERPA, HIPAA, HITECH, COPPA, PCI DSS and state-specific data breach notifications laws.
- Assess the data: A security rule under HIPAA does not explicitly require encryption, but it does state that entities should perform a data risk assessment and implement encryption if the evaluation indicates that encryption would be a “reasonable and appropriate” safeguard. If an organization decides not to encrypt electronic protected health information (ePHI), the institution must document and justify that decision and then implement an “equivalent alternative measure.”
- Determine the required or needed level of encryption: The U.S. Department of Health and Human Services (HHS) turns to the National Institute of Standards and Technology (NIST) for recommended encryption-level practices. HHS and NIST have both produced robust documentation for adhering to HIPAA’s Security Rule. NIST Special Publication 800-111 takes a broad approach to encryption on user devices. In a nutshell, it states that when there is even a remote possibility of risk, encryption needs to be in place. FIPS 140-2, which incorporates AES into its protocols, is an ideal choice. FIPS 140-2 helps education entities ensure that PII is “rendered unusable, unreadable or indecipherable to unauthorized individuals.” A device that meets FIPS 140-2 requirements has a
**cryptographic**erase function that “leverages the encryption of target data by enabling sanitization of the target data’s encryption key, leaving only the cipher text remaining on the media, effectively sanitizing the data.” - Be mindful of sensitive data transfers and remote access: Encryption must extend beyond laptops and backup drives. Communicating or sending data over the internet needs Transport Layer Security (TLS), a protocol for transmitting data over a network, and
**AES encryption**. When an employee accesses an institution’s local network, a secure VPN connection is essential when ePHI is involved. Also, before putting a handful of student files on a physical external device for transfer between systems or offices, the device must be encrypted and meet FIPS 140-2 requirements to avoid potential violations. - Note the fine print details: Unfortunately, many schools erroneously approve data collecting and data mining techniques that parents and kids find undesirable or that violate FERPA because they do not exercise adequate due diligence in assessing the privacy and data security rules of third-party firms. The workstations in a workplace need to be password-protected, but regulatory compliance goes far further than that. Data-at-rest kept on school systems or removable media devices must be protected using encryption. Keep in mind that the main cause of security breaches is data at rest that is out of the school’s firewall (or “in the wild”).