Skip to main content
Hafan

How do we implement encryption?

Download options

Contents

In detail

Choose the right algorithm and key size

Choosing the right algorithm is important because vulnerabilities may be discovered over time, or advances in computing processing power may mean that a brute-force attack (ie attempting every possible key) is no longer a time-consuming task.

For example, as computing power advances, the time required to try every combination potentially decreases to a length of time that would make it possible to decrypt the data without the key.

You should ensure the key size you choose is large enough to ensure that an attack on it is highly unlikely to succeed, taking into account that new attack methods may be discovered. You should assess this as part of keeping your encryption under regular review.

You should use a trusted and verified algorithm rather than attempting to develop your own cryptography. You could use accredited products that:

  • provide an assurance of suitability;
  • reduce the likelihood of undiscovered vulnerabilities; and
  • permit you to demonstrate a level of compliance with legal obligations.

Example

The Data Encryption Standard (DES) was developed in the 1970s and standardised as a Federal Information Processing Standard in 1977 (FIPS 46). It had a total of 72 quadrillion possible keys.

By the late 1990s, computing power had advanced to the point that it was possible to ‘crack’ a DES key in less than 24 hours by conducting a brute-force search of all possible keys.

The Advanced Encryption Standard (AES) was subsequently published as a replacement for DES as FIPS 197. AES with a 256-bit key size has a potential 115 quattuorvigintillion keys, or 115 with 78 digits following it. There is presently no known practical attack that can brute force an AES 256 key.

Choose the right software

The way that encryption software is put together is also crucial. Software can use a state-of-the-art algorithm and a suitably long key to output encrypted data. But if its development did not follow good practice, or the product itself is poorly tested or subject to insufficient review, there may be vulnerabilities or other opportunities for attackers to intercept data or break the encryption without the users’ knowledge. 

You could choose specific software that has been independently tested to mitigate this risk.

Manage the key appropriately

You should ensure that you keep symmetric keys and passwords secret, as these give someone the ability to decrypt the data. 

In many cases, keys are stored in a hierarchy for ease of management. The top-level key is used to encrypt the keys below it and you should manage it securely. 

You could configure keys to have a finite lifespan and for processes to be in place to generate a new key and re-encrypt the data. You can then archive the old key and securely delete it when you no longer require it. 

In symmetric encryption, the key is sometimes derived from a shorter, more memorable password. You should take steps to ensure that any password you use to derive or secure the keys also remains secret. A poor choice or a compromise of the password can significantly lower, or even eliminate, the level of protection offered by encryption. 

You should be able to revoke the existing key and generate a new key or key pair. For example, if the key is compromised or if you cannot exclude the possibility that it may be. 

You should keep the decryption key secure. If you lose it, then it is likely that you won’t be able to access the data. 

Keep your encryption under regular review

The UK GDPR’s security provisions require you to be able to, where appropriate, test, assess and evaluate the effectiveness of the technical and organisational measures you implement.

This means that you must consider an appropriate review period for your use of encryption.  

For example, vulnerabilities or attacks may be found at any time in an implementation of encryption or an underlying encryption algorithm. This could allow an attacker to access the personal information. 

You should assess whether your encryption methods remain appropriate on a regular basis. Although it is for you to establish how often this is required, taking into account the context of the your processing. 

To do this effectively, you: 

  • should know what personal information you hold, and the risks any compromise would pose to people;
  • should know what encryption tools or processes you use. For example, you could accomplish this by having a cryptographic inventory;
  • should regularly check whether the encryption you use remains secure. For example, you could sign up to relevant mailing lists for urgent notices about the effectiveness of encryption, and review your encryption on a regular period (eg annually); and
  • could make a plan for how you would transition quickly and safely to a secure encryption method, if necessary.