what scrambles information into an alternative form that requires a key or password to decrypt?
Encryption Basics
Healthcare and wellness IT professionals are entrusted with protecting the privacy and confidentiality of patient data. To provide this protection, these professionals ofttimes expect to commonly accepted technologies and methodologies to safeguard the data while at rest and in transit. One technology capable of providing this type of protection is encryption.
The HIPAA security dominion has long identified encryption (an addressable implementation specification) every bit a machinery to safeguard electronic protected wellness information. More recently, the standards and certification criteria for electronic wellness records (EHR) specified that EHRs must exist able to encrypt and decrypt wellness data in order to qualify for stage one of the meaningful use incentive program.
Similarly, guidance accompanying the breach notification acting final dominion identified encryption as i technology that can render protected health information "unusable, unreadable, or indecipherable to unauthorized individuals." Protected health information that is encrypted in accordance with this guidance is not subject to alienation notification requirements nether the interim last rule. The guidance discusses encryption as a mechanism to protect information in transit and at rest.
Implementing and managing an encryption solution requires an agreement of bones encryption processes, an sensation of the security properties provided past encryption, and knowledge of of import requirements for effective encryption.
Encryption Basics
Encryption is a security control used primarily to provide confidentiality protection for information. It is a mathematical transformation to scramble information requiring protection (plaintext) into a course not easily understood by unauthorized people or machines (ciphertext). Afterwards being transformed into ciphertext, the plaintext appears random and does non reveal anything nearly the content of the original data. One time encrypted, no person (or machine) can discern anything about the content of the original information by reading the encrypted form of the data.
Encryption is a reversible transformation. It is useful only when encrypted information (ciphertext) tin be reversed back to its original, unencrypted class (plaintext). If not reversible, the encrypted information are considered unreadable and unusable.
This reversal process is referred to as decryption. An encryption procedure has a respective decryption procedure, which is used to reverse the encrypted data (ciphertext) dorsum to its original content (plaintext).
Each encryption and decryption function requires a cryptographic key. A cryptographic primal is a string of binary digits used as an input to encryption and decryption functions.
In order for the encryption function to transform the plaintext into ciphertext and for the decryption function to reverse the ciphertext back to its original form, the encryption and decryption functions must utilize the same cryptographic cardinal. This is referred to as a symmetric primal. The encryption functions specified in the Advanced Encryption Standard are widely supported in current systems and software.
As depicted in the effigy at right, the encryption part requires two inputs, plaintext and a cryptographic key, in lodge to output ciphertext.
Encryption Function
The encryption role requires ii inputs, plaintext and a cryptographic cardinal, in club to output ciphertext.
Decryption Function
The decryption function requires two inputs, ciphertext and a cryptographic cardinal, in order to output plaintext.
Encryption in Widely Used Computer Applications
Encryption is widely used in many calculator applications to protect data in transit and at residual. User interest in the encryption process may vary for each application. For case, in some applications of secure Web browsing using Secure Socket Layer (SSL) or Send Layer Security (TLS) protocols, the use of encryption may be transparent to users. In other implementations, users may exist required to enter a countersign to encrypt or decrypt the protected data if the cryptographic key is derived from the password.
E-mail service can be encrypted by the sender and then decrypted past the intended recipient using Secure/Multipurpose Internet Postal service Extensions (S/MIME). Email can be read but by the sender and the intended recipient.
Internet Protocol Security (IPsec) is a suite of network layer security protocols frequently used to establish virtual individual networks. They enable simply the two ends of a advice in a computer network to understand the encrypted messages exchanged between them.
The SSL protocol and its successor, TLS, are the primary end-to-end security protocols used to protect information traversing the Net. The almost common usage scenario for these protocols is a Web browser, acting every bit a client for the human user, interacting with a Spider web server. Using SSL and TLS, encrypted letters between a Web browser and a Web server cannot be decrypted past any unauthorized party.
In addition to protecting data being transmitted over computer networks, encryption is also used to protect data at rest, such equally data stored on difficult drives, USB drives, and other end-user storage devices. For example, when an encrypted hard drive is stolen or in an unauthorized user'south possession, the encrypted data on the hard drive are useless to the unauthorized user considering the unauthorized user cannot reproduce the plaintext from the difficult drive without the cryptographic cardinal.
Requirements for Implementing Encryption
Encryption is an of import security control to provide confidentiality protection for information. For encryption to be constructive and to provide information confidentiality, it is important for the following requirements to be met.
Proceed the cryptographic key secret. Encryption algorithms are made public to permit for interoperability, ease of apply, and more open up and constructive assay. The security of the encryption depends on the secrecy of the cryptographic primal. The cryptographic cardinal must be kept undercover from all entities who are non allowed to come across the plaintext. Any person or machine that knows the cryptographic fundamental can apply the decryption office to decrypt the ciphertext, exposing the plaintext. If a strong cryptographic primal is generated but is not kept secret, and then the data are no longer protected. Keeping the cryptographic key secret ensures confidentiality protection of the protected data.
Protect the cryptographic central from modification. The cryptographic key must always be protected from modification. For the ciphertext to be transformed to plaintext, the decryption part must employ the same cryptographic cardinal used past the encryption function to decrypt the ciphertext. If the cryptographic key is modified, the plaintext cannot be reproduced. When this happens, the plaintext (the protected data) is lost. Information technology is very important to protect the cryptographic primal from any modification (including being lost).
Like other files, cryptographic keys could be intentionally or unintentionally modified. For case, cryptographic keys could be unintentionally corrupted during transmission if an application or protocol using the cryptographic fundamental does not operate as expected. A malicious user with access to the cryptographic cardinal could intentionally modify the cryptographic key to forestall admission to encrypted data. In either state of affairs, plaintext information cannot be reproduced past the modified cryptographic key.
Therefore, any arrangement using encryption should have a key recovery machinery to recover the cryptographic key if it is lost or modified. An example of such a recovery mechanism is to make multiple copies of the cryptographic fundamental, and store them split from each other in locations unknown to unauthorized parties. If the original key is modified or lost, a recovery copy can be used.
Know the importance of cryptographic cardinal length in choosing an encryption algorithm. To decrypt the ciphertext, an assailant must search for the cryptographic key by decrypting the ciphertext with all possible keys until the right central is found. For example, if the cryptographic key is two bits long, there are 4 possible keys that the attacker may endeavour (00, 01, x, 11). The longer the cardinal, the more possible keys the attacker must try.
By and large speaking, an encryption algorithm that uses a longer fundamental provides a greater level of confidentiality protection. For example, the Avant-garde Encryption Standard using a 192-scrap cardinal (AES-192) provides stronger protection than the Advanced Encryption Standard using a 128-bit key (AES-128) because there are more possible values for a 192-bit fundamental than for a 128-chip key.
Generate a strong cryptographic key and ship it securely. If an attacker tin get information about sure bits of the central, and so the encryption function using this primal does not provide the necessary level of protection. For instance, if the fundamental is ii bits and the attacker knows that the first bit of the key is equal to the 2d fleck, then the attacker needs to try simply two possible keys, 00 and 11, instead of four combinations.
Ideally, a cryptographic primal is a randomly generated cord of bits that provides the attacker with no information nigh any $.25 of the key. Keys can be generated using a Deterministic Random Bit Generator, a office used to generate high-quality random bits for an encryption key. The National Institute of Standards and Applied science's "Recommendation for Random Number Generation Using Deterministic Random Fleck Generators" recommends NIST-approved mechanisms for the generation of random $.25 using deterministic methods.
Cryptographic keys can exist generated solely by the encrypting entity, or through cooperation betwixt the encrypting and decrypting entities, depending on the usage scenario. NIST'southward "Recommendation for Key Direction-Part ane" discusses approved cryptographic cardinal generation methods when the key is generated solely by the encrypting political party.
In many secure advice protocols (e.1000., TLS), the cryptographic key may exist generated through cooperation of the encrypting and decrypting entities. NIST's "Recommendation for Cardinal Management-Parts 1 and two" provide guidelines on these key agreement schemes.
In an application where the encrypting entity needs to share the fundamental with a separate decrypting entity, the fundamental must be transported to the decrypting entity in a secure fashion. This transportation can exist washed physically using an electronic device such as a USB drive that holds the cryptographic central. It can also be washed electronically over a computer network. NIST'south "Recommendation for Key Management-Parts 1 and 2" provide guidelines on methods of secure key send.
Encrypt all copies of the data. All data that crave confidentiality protection should be encrypted if in that location is a possibility that an unauthorized person could access it. Data at rest in an operational environment are often encrypted. However, all copies of data, including data in storage and back-up environments, should also be encrypted to provide comparable protection.
Transition to NIST-approved encryption functions. Over time, changes in the use of encryption may be necessary because of cryptographic attacks on encryption algorithms or the availability of more powerful computing techniques and/or devices. Data encrypted in the by using a not-NIST–approved encryption algorithm or a NIST-canonical encryption algorithm that has get obsolete should be encrypted using a current NIST-approved encryption algorithm to ensure a strong level of protection for the data. NIST's "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths" identifies current approved algorithms and timelines for adequate use.
For more than information on encryption processes and technologies, visit NIST's Figurer Security Resources Centre at http://csrc.nist.gov.
Kevin Stine is an information security specialist and Quynh Dang is a reckoner scientist for the National Institute of Standards and Technology, Information Engineering science Laboratory, Computer Security Division.
Article citation:
Stine, Kevin; Dang, Quynh. "Encryption Basics" Journal of AHIMA 82, no.five (May 2011): 44-46.
Source: https://bok.ahima.org/doc?oid=104090
0 Response to "what scrambles information into an alternative form that requires a key or password to decrypt?"
Post a Comment