What Is Encryption in Federal Agencies?
According tothe National Institute of Standards and Technology, encryption refers to the cryptographic transformation of data (called plaintext) into a form (called ciphertext) that conceals the datas original meaning to prevent it from being known or used.
In laymans terms, asOktanotes ina blog post, encryption basically scrambles data that can be decoded with a key. The goal of encryption is to send along encrypted data to a third party, who will then decrypt that information into a usable form with a decryption key.
The method used to conduct the scrambling (encryption) and unscrambling (decryption) is known as a cryptographic algorithm, and the security of the ciphertext does not depend on the secrecy of the algorithm,a CDW white paper notes. In fact, the most trusted algorithms are those that have been publicly vetted to find weaknesses.
According to Okta, there are at least three fundamental elements to modern encryption tools:
RELATED:How will agencies tackle zero trust in 2022?
Hashing is a concept related to encryption, but it focuses on a different set of priorities.
According to Okta, hashing involves scrambling data at rest to ensure its not stolen or tampered with. Protection is the goal, but the technique isnt built with decoding in mind.
AsSentinelOnenotes ina blog post, hashes are the output of a hashing algorithm like MD5 (Message Digest 5) or SHA (Secure Hash Algorithm), which aim to produce a unique, fixed-length string the hash value, or message digest for any given piece of data or message.
Organizations with vast numbers of usernames and passwords on file, such as federal agencies, are rightly very concerned with those usernames and passwords becoming compromised, increasing the risk that sensitive data will be exposed or exfiltrated. A password hash system could protect all of those passwords from hackers while ensuring those points arent tampered with before theyre used again, Okta notes. Hash encryption like this doesnt anonymize data, although plenty of people believe that it does. Instead, its used to protect this data from those who might misuse or alter it.
Importantly, according to Okta, a typical hashing protocol doesnt come with an automatic translation key. Instead, the process is used to determine alterations, and the data is stored in a scrambled state.
MORE FROM FEDTECH:How should agencies rethink data protection?
Because encryption and hashing serve different purposes for federal IT security teams, its important to know the key differences.
While encryption is primarily used to protect data in transit, hashing is used for protecting data in storage. Encryption can be used to protect passwords in transit while hashing is used to protect passwords in storage.
Data that has been decrypted can be decoded, but data that has been hashed cannot.
In neither case is data anonymized. Encryption relies on both public and private decryption keys while hashing relies only on private keys.
Each approach has its vulnerabilities, Okta notes. Breaking a hash means running a computer algorithm through the codes and developing theories about the key. It should be impossible, but experts say some programs can churn through 450 billion hashes per second, and that means hacking takes mere minutes, the company notes. Meanwhile, encrypted files can be easily decrypted if attackers are skillful enough.
Its important to note that agencies can combine hashing and encryption techniques. You might use hashing to protect password data on your server, but then you lean on encryption to protect files users download once they have gained access, Okta notes.
DIVE DEEPER:How do granular identity and access management controls enable zero trust?
Since hashing can be defeated, there are other ways agencies can use the technique to secure data. This is known as salting the hash.
Salting is the act of adding a series of random characters to a password before going through the hashing function,Okta notes in a separate blog post.
By adding a series of random numbers and letters to the original password, agencies can achieve a different hash function each time, according to Okta. This way, we protect against the flaw of the hash function by having a different hashed password each time, the post notes.
Salt encryption must be stored in a database along with the user password, according to Okta, and it is recommended that salts be random and unique per login to mitigate attacks using rainbow tables of pre-computed hashes.
While an attacker could still re-compute hashes of common password lists using a given salt for a password, a way to provide additional defense in depth is to encrypt password storage at rest, preferably backed by a hardware security module or cloud key management service like Amazon Web Services Key Management Service, Okta notes.
EXPLORE:Create a zero-trust environment among users and on your network.
See the original post here:
Hashing vs. Encryption: What's The Difference? - FedTech Magazine