What Is Encryption in Federal Agencies?
According to the National Institute of Standards and Technology, encryption refers to the “cryptographic transformation of data (called plaintext) into a form (called ciphertext) that conceals the data’s original meaning to prevent it from being known or used.”
In layman’s terms, as Okta notes in a blog post, encryption basically “scrambles data that can be decoded with a key.” The goal of encryption is to send along encrypted data to a third party, who will then decrypt that information into a usable form with a decryption key.
“The method used to conduct the scrambling (encryption) and unscrambling (decryption) is known as a cryptographic algorithm, and the security of the ciphertext does not depend on the secrecy of the algorithm,” a CDW white paper notes. “In fact, the most trusted algorithms are those that have been publicly vetted to find weaknesses.”
According to Okta, there are at least three fundamental elements to modern encryption tools:
- Advanced Encryption Standard (AES), often considered the gold standard for encryption, provides a sophisticated algorithm that “transforms plain text into a series of letters and numbers, and the process is repeated multiple times to ensure complete encryption.”
- Twofish is a symmetric cipher that “uses a single key for both encryption and decryption.” NIST spurred the development of Twofish in the late 1990s by calling for the creation of more secure encryption. “Twofish is a fast system, and it’s made for network applications that require frequently changing keys,” Okta notes.
- Pretty Good Privacy is a piece of software based on an open standard, and it “uses several steps to both encrypt and decrypt data,” with developers continuously working to improve the system and add new features in response to cyberthreats.
What Is Hashing in Cybersecurity?
Hashing is a concept related to encryption, but it focuses on a different set of priorities.
According to Okta, hashing involves “scrambling data at rest to ensure it’s not stolen or tampered with. Protection is the goal, but the technique isn’t built with decoding in mind.”
As SentinelOne notes in a blog post, “hashes are the output of a hashing algorithm like MD5 (Message Digest 5) or SHA (Secure Hash Algorithm),” which “aim to produce a unique, fixed-length string — the hash value, or ‘message digest’ — for any given piece of data or ‘message.’”
Organizations with vast numbers of usernames and passwords on file, such as federal agencies, are rightly very concerned with those usernames and passwords becoming compromised, increasing the risk that sensitive data will be exposed or exfiltrated. “A password hash system could protect all of those passwords from hackers while ensuring those points aren’t tampered with before they’re used again,” Okta notes. “Hash encryption like this doesn’t anonymize data, although plenty of people believe that it does. Instead, it’s used to protect this data from those who might misuse or alter it.”
Importantly, according to Okta, a “typical hashing protocol doesn’t come with an automatic translation key. Instead, the process is used to determine alterations, and the data is stored in a scrambled state.”
Hashing vs. Encryption: What’s the Difference?
Because encryption and hashing serve different purposes for federal IT security teams, it’s important to know the key differences.
While encryption is primarily used to protect data in transit, hashing is used for protecting data in storage. Encryption can be used to protect passwords in transit while hashing is used to protect passwords in storage.
Data that has been decrypted can be decoded, but data that has been hashed cannot.
In neither case is data anonymized. Encryption relies on both public and private decryption keys while hashing relies only on private keys.
Each approach has its vulnerabilities, Okta notes. “Breaking a hash means running a computer algorithm through the codes and developing theories about the key. It should be impossible, but experts say some programs can churn through 450 billion hashes per second, and that means hacking takes mere minutes,” the company notes. Meanwhile, encrypted files can be easily decrypted if attackers are skillful enough.
It’s important to note that agencies can combine hashing and encryption techniques. “You might use hashing to protect password data on your server, but then you lean on encryption to protect files users download once they have gained access,” Okta notes.
What Are Salted Passwords and Password Hashing?
Since hashing can be defeated, there are other ways agencies can use the technique to secure data. This is known as “salting” the hash.
“Salting is the act of adding a series of random characters to a password before going through the hashing function,” Okta notes in a separate blog post.
By adding a series of random numbers and letters to the original password, agencies can achieve a different hash function each time, according to Okta. “This way, we protect against the flaw of the hash function by having a different hashed password each time,” the post notes.
Salt encryption must be stored in a database along with the user password, according to Okta, and it is recommended that salts be “random and unique per login to mitigate attacks using rainbow tables of pre-computed hashes.”
“While an attacker could still re-compute hashes of common password lists using a given salt for a password, a way to provide additional defense in depth is to encrypt password storage at rest, preferably backed” by a hardware security module or cloud key management service like Amazon Web Services’ Key Management Service, Okta notes.