• Encryption & Tokenization

    How to protect your data with eperi

What is encryption?

Encryption means the conversion of a readable text (plain text) into a text that can no longer be read and interpreted (ciphertext). This works by using an encryption method consisting of a mathematical algorithm and a key. The recovery of the plain text is called decryption.

What is good encryption?

Encryption is not always the same: the quality of encryption depends on both the quality of the algorithm used and the key length. An encryption algorithm is a rule that describes the encryption process. However, a good algorithm does not yet guarantee security because it also depends on the key used or on access to it. The algorithm to the key behaves like a lock to the key. Good algorithms are characterized by the fact that the appropriate key cannot be derived from information that is accessible to everyone.

Good encryption methods follow the Open Source concept and reveal the algorithm they use. This means that anyone can use mathematical procedures to check whether the procedure is correctly implemented and secure. Public knowledge about the quality of the lock does not mean that anyone can crack the algorithm – the security is mainly guaranteed by the possession of the keys. The following central principle applies: anyone who has access to the cryptographic keys can make the encrypted data readable again.

Identifying bad procedures as users is central to building good encryption – otherwise attackers have the opportunity to determine the plain text or the key with mathematical tricks or statistical analysis. An example is the Caesar cipher, in which it is relatively easy to determine the key using the statistical clustering of letters. Attackers can try to find the appropriate key by so-called brute force attacks. All possible keys are tried until the correct key is found. This is very easy with the Caesar cipher, since there are only 25 different keys.

eperi solutions use secure, verifiable encryption algorithms

Good encryption methods have none of the weaknesses mentioned above and have been extensively tested by cryptoanalysts. eperi consistently encrypts all sensitive data according to the currently secure encryption method Advanced Encryption Standard (AES) according to the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI). eperi’s approach is that the key lies outside the data to be encrypted and the storage systems (such as databases). No system or cloud administrator has access to the keys – and therefore no attacker. The key lies only with the company that uses eperi solutions. In addition, hardware security modules (HSM) and smart cards can be used. This guarantees maximum safety.

Tokenization

Tokenization refers to the generation of replacement values for sensitive data. For example, the fake credit card number 7765 is generated from credit card number 1234. The value to be saved and its replacement value are stored in a mapping table. Within the company, all employees that must have access to the data can access this mapping table.

The problem with this procedure is obvious: If you have the mapping table, you can read the data. Therefore, these tables are a very popular target. The second problem with this method is that a replacement value must be assigned uniquely to an original value. This means that 1234 is always reconstructed from 7765. Due to the small range of values, it is much easier to deduce the original value compared to encryption.

eperi solutions address this weakness by encrypting the original values before tokenization and only then storing them in their own token database. This does not reduce the maximum-security level of the encryption. The method used by eperi is based on tested and reliable encryption methods such as AES. The additional extension by tokenization is a method applied for patent by eperi.

Homomorphic, sortable or searchable encryption

Homomorphic, sortable and searchable encryption are three alternative concepts to the method used by eperi, each of which has a number of weaknesses.

Homomorphic encryption is a class of encryption methods in which arithmetic operations with encrypted values are possible, such as the addition of two encrypted values. Homomorphic encryption is a field of cryptography research. So far the methods are too CPU-intensive to be really practicable and the functionality is still severely limited. In addition, the methodology is so innovative that no statement can yet be made about the safety level of such methods.

Sortable encryption significantly reduces the security level. The problem is the following: when data is encrypted, the order of the encrypted data is different from the order of the original data. This is an important and necessary feature of encryption. If, on the other hand, the encrypted data is in the same order to be sortable, this considerably reduces the security of the process. For example, if Alice, Bob and Chris are encrypted to X, Y and Z, any attacker who knows the plain text can deduce the corresponding encrypted values. By cleverly encrypting plain text, an attacker can determine the position – and thus the value – of the encrypted data set at any time.

Searchable encryption uses non-verifiable and therefore untrustworthy encryption methods. In order to find an encrypted original value, the encrypted value must be decrypted. This is a basic principle of encryption technology. The string “Bo” can only be found in the encrypted “Bob” if the encrypted text is decrypted first. The methods of searchable encryption encrypt – roughly speaking – each part of the word separately, so that it is possible to search for word fragments. Bob” becomes “Xyz”. If you search for “Bo” (encrypted “Xy”), then the search is also successful with alleged encryption.

However, this is not strong encryption, but only a kind of Caesar cipher. This was already used in antiquity (ca. 50 B.C.) and is completely unsafe.

Do you have any questions or would you like to arrange a live demo of an eperi Cloud Data Protection solution?