From banking and finance to healthcare, as highly sensitive database applications have migrated to the Internet, it is absolutely vital to ensure that their data is properly protected. Sensitive data that is stolen can be used to not only damage the reputation of the originating company, but also wreak havoc on the personal lives of individuals. As has been seen from the massive-scale data breaches that have recently proliferated the news, from Target to Home Depot, even multi-billion dollar companies that follow multitudes of data security protocols cannot be kept safe from breeches. With swarms of bots searching the web for vulnerabilities in any and every web application and publicly accessible machine, it is vital to follow hold all sensitive data to a high level of security.
Generally speaking, there are two primary data encryption techniques: one-way encryption and reversible encryption. One-way encryption, such as the popular MD5 or SHA-1 hash, takes an input string or file and converts it into an encrypted string of a certain length. For instance, SHA-1 can be used to encrypt a password, by taking a password and converting it into a relatively short string of characters that can’t be mathematically reversed.
Although this might initially seem strange – to encrypt data and then lose it to a format that can’t be decoded, there are two primary uses for hashing: encrypting passwords, and performing quick searches on encrypted data. Passwords do not need to be decrypted for comparison if the login program instead encrypts the entered password, and compares it to the already encrypted password in the database. If both the encrypted database password and the encrypted login form password are exactly the same, then the login was correct and the user can be authenticated in the system.
Encrypted data search follows a similar technique. Sensitive data that needs to be decrypted for data processing, such as Social Security Number, are often stored in two formats: both in reversible encryption and one-way encryption. The reversible encryption is used when editing a data record, so that the original SSN can be displayed. The problem with reversible encryption is that it is often slow, so database searches across large numbers of records can take a long time. In order to help speed up the search, one-way encryption can be used for faster comparison and indexing.
There is a large loophole, however, in one-way encryption of short words and numbers, such as passwords and Social Security Numbers. If an attacker tries every possible combination of letters and numbers, they will eventually discover the password. This can have an inordinately high cost for decrypting a single password, however if the hackers are working on a large database or a few high-stakes accounts, the payback can justify the work involved. Large data banks of computers are used to create databases called Rainbow Tables, which contain every possible combination of input password and its resulting encrypted string. Using Rainbow Tables, any password up to a certain length of characters can be decrypted. To make it even more problematic, many Rainbow Tables are available for free access online.
This is where a technique called Salting becomes critical. A Salt is a string of characters added to each password before encryption. The Salt should be long, at least 64 characters, and should consist of a combination of numbers, letters, and symbols. By increasing the length of each password to at least 64 characters, brute force attacks such as Rainbow Tables are no longer feasible in most situations due to the processing limitations of modern-day computers. A salted password often cannot be decrypted unless the salt is known. Even then, it is advisable to add a unique record-level identifier to the pre-encrypted string as well, to make it impossible to decrypt passwords en-masse. Using the salt technique, unless the attacker is able to mathematically reverse the SHA-1 algorithm (currently not known to be possible), the password will stay secure for quite a long time.
Written by Andrew Palczewski
About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.