Choosing the right algorithm
An encryption algorithm is a mathematical function that transforms plaintext into ciphertext. Choosing the right algorithm is important because vulnerabilities may be discovered over time or advances in computing processing power may mean that a brute-force attack (ie attempting every possible key) is no longer a time-consuming task.
Organisations should therefore regularly assess whether their encryption method remains appropriate.
Rather than develop a custom algorithm it is recommended that a data controller uses a trusted and verified algorithm.
Accredited products (see ‘Choosing the right software’ below) can provide an assurance of suitability and also permit data controllers to demonstrate a level of compliance with legal obligations. However, it is important to review regularly the products being used due to the nature of technical development over time.
Choosing the right key size
Algorithms use keys to encrypt and decrypt data. Encrypting the same data with a different key will produce a different result. Just as it is important to choose the right algorithm, it is also important to ensure that the key size is sufficiently large to defend against an attack over the lifetime of the data. As computing processing power increases or new mathematical attack methods are discovered, a key must remain sufficiently large to ensure that an attack remains a practical impossibility.
Data controllers should therefore regularly assess whether their encryption keys remain sufficiently large to prevent a brute force or other method of attack. They should also assess the risks and likelihood of an attack given the amount of personal data they hold.
Choosing the right software
The way that encryption software is put together is also crucially important. Software can use a state of the art algorithm and a suitably long key to output encrypted data, but if its development did not follow good practice, or the product itself is poorly tested or subject to insufficient review, there may be vulnerabilities or other opportunities for attackers to intercept data or break the encryption without the users’ knowledge. It is also possible that the encryption software includes an intentional weakness or backdoor to enable those with knowledge of the weakness to bypass the protection and access the protected data.
It is therefore important to gain an external assessment of encryption software where it is of critical importance to have an assurance that such vulnerabilities do not exist. Such an assessment may also assist in defining an appropriate algorithm and key size.
It is recommended that data controllers ensure that any solution that they, or a data processor acting on their behalf, implement meets the current standards such as FIPS 140-2 (cryptographic modules, software and hardware) and FIPS 197.
Encryption products certified via the product and service tests from the National Cyber Security Centre (NCSC) – such as Foundation Grade assurance (under the Commercial Product Assurance scheme and/or International Common Criteria) or the CAPS Assisted Products scheme – would also meet the current standard.
Guidance from the European Union Agency for Network and Information Security on Recommended cryptographic measures and the United States National Institute of Standards and Technology Special Publication 800-131A Rev. 1 (Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths) also provide additional information on the current status of encryption algorithms.
In some instances such specific assurances may not be available. For example, many open source software products do not have sufficient capital to fund certification. However, government security agencies and private IT security organisations can offer advice regarding which specific protocols or algorithms which should be considered appropriate although a data controller should be aware of the limited assurances when no certification or guidance is available. An example of such advice from the NCSC on the use of TLS includes:
The lack of formal assurance in TLS implementations means there may be implementation weaknesses. Using recent, supported and fully patched versions of TLS implementations from reputable sources will help to manage this risk.
This statement highlights the importance of keeping software up to date as vulnerabilities in the code may be discovered over time, eg Heartbleed and Shellshock.
Keeping the key secure
It is important to ensure that symmetric keys and private keys remain secret as these provide the ability to decrypt the data.
In many cases keys are stored in a hierarchy for ease of management. The top level key is used to encrypt the keys below it and must therefore be managed securely.
All keys should have a finite lifespan and data controllers need processes in place to generate a new key and re-encrypt the data. The old key should then be archived and securely deleted when no longer required.
In symmetric encryption, the key is sometimes derived from a shorter, more memorable password. It is therefore imperative that any password used to derive or secure the keys also remains secret. A poor choice or a compromise of the password can significantly lower, or even eliminate, the level of protection offered by an encryption product.
In the event that the key is compromised, or even if this possibility cannot be excluded, it may be necessary to revoke the existing key and generate a new key or key pair to protect data in the future.
It is also the case that loss of the decryption key will likely mean that no-one will be able to gain access to the data. Loss of the decryption key could constitute an ‘accidental loss or destruction of, or damage to, personal data’ and would therefore be a breach of the seventh principle of the DPA.
A laptop is protected using a secure full disk encryption product. This means that when the laptop is switched off the personal data is stored in an encrypted form.
If the laptop is stolen and the thief powers on the laptop he is challenged for the password. Without knowledge of the password the attacker is unable to access the data.
However, if the laptop user’s username and password were written on a piece of paper stored alongside the laptop the thief has all the necessary information in order to decrypt the data and gain full access to it, thereby rendering the encryption ineffectual.