Privacy Data: The Data Encryptfeii. Protection GAO. ifi: i:.:i:i'y-: - mii'-- ii$i' '- ''yf-.,-:- Piograivi Kvaluation an(i MtM hodcjlogy Division IS:

Transcription

1 GAO i MPtrd Stales ( riumji! Airouiiliii^ OtTitr Piograivi Kvaluation an(i MtM hodcjlogy Division /^D(^44 March 1987 Privacy Data: The Data Encryptfeii ikf-.:-... iii-' tw'i-! - ' c'i:'\ :B'-- Protection S: ifi: i:.:i:i'y-: - ii'-- l l v ' f-:: ^M i ::.:i'"i(i' : ii$i' '- ''yf-.,-:- rsi.!.;- ^iinii-il^'itihj, Transfer Pap)er 8 fl'mi^u^r^'l^iin^i^^^

2 PREFACE This paper addresses the rationale for and uses in evaluation of data encryption procedures with particular ephasis on the data encryption standard (DES). The data encryption standard provides a tool that can greatly increase the privacy and confidentiality of sensitive data. By being able to provide this protection an evaluator ay ore easily obtain personal or otherwise sensitive data. Specifically, progra evaluators now have a eans for protecting any sensitive inforation they have collected. This paper is not applicable to situations in which the potential user has an application that involves national security inforation. Further, it is not applicable to soe civil uses such as those involving electronic funds transfers that will require a certified ipleentation of the DES, which requires a hardware rather than a software process. n other cases, the DES software process presented here ay provide a relatively siple and econoical ethod of protecting the privacy of data. After reading this paper, evaluators should be able to recognize when data encryption ay be useful in a study, understand the basic approach to utilizing data encryption in dealing with privacy or confidentiality concerns, and provide the technical docuentation so that a GAO design, athodology, and technical assistance group in headquarters, a technical assistance group fro the regions, or their counterparts outside GAO could construct and operate a coputer progra to perfor data encryption. Exaples of general applications are discussed in order to provide^ an evaluator with a good basis on which to judge the utility of encryption in specific settings. However, certain guiding assuptions can be shared iediately: The data encryption st^.ndard provides a benchark for encryption work because of its status as an official federal standard. The reader is cautioned, however, that DES ay not be used to safeguard national security inforation. Protection of identity, as well as the preservation of a unique identifier for data retrieval or atching, can be : provided by enciphering the personal identifier, either nae or nuber. Encrypted data files should have soe for of unencrypted backup. That is, the evaluator should be able to. recreate the encrypted data if necessary.

3 with these assuptions guiding the applications of data encryption efforts, the evaluator is in an advantageous ethodological position to undertake work that previously ay have been only partially copleted because of concerns with privacy and confidentiality. Privacy Data; The Data Encryption Standard Provides Valuable Protection is one of a series of papers issued by PEMD. The the series include Causal Analysis; A Method to identify and Test Cause and Effect Relationships in Progra Evaluations, Content Analysis: A Methodology for Structuring and Analyzing Written Material, Designing Evaluations, using Structured interviewing Techniques, statistical Sapling, and Developing and using Questionnaires. Readers of this paper are encouraged to.send questions or coents on it to e. Eleanor Chelii^isky Director ijiiiiii^tltttttliiik

4 C o n t e n t s Page PREFACE 1 CHAPTER f. 1 NTRODUCTON Need to protect data Methods of protection Data encryption standard Advantages and disadvantages of the DES Who should use this report The organization of this paper USES OF THE DATA ENCRYPTON ST.^NDARD Modes of operation Protection of sensitive data Merging data fro different sources if':. f il APPENDX TECHNCAL DESCRPTON: HOW TO USE DES SOFTWARE ENCRYPTON Overview of the data encryption processing flow Specification of a DES keyword use of the DES eulation coputer progra DES utility progra Exaples of user application progras i V OES progra in C language Other ethods of data encryption V Recent developents in data encryption 75 BBLOGRAPHY 78 GLOSSARY 79 fc 1: FGURE 2.1 DES algorith (electronic codebook ode) 15 : s DES algorith (cipher block chaining ode) Nuber of possible DES codes DES keyword recording for } ' f^ i^ig;:-fet^!;:i::kj:.^:>a:%;^.m. z:?si, ---i-iirriiri JiMth.-HM

5 FGURE 1.1 OES utility ain Subroutine SETKEY Subroutine SETKEY expanded Subroutine HKEY Subroutine DES Subroutine DES segent Subroutine DES segent Subroutine DES segent 3 39 %' r 1.9. Subroutine DES segent 4 processing two D nubers Processing hexadecial nubers processing alphanueric characters 59.l Cipher block chaining ode 61 TABLE 2.1 Changes in ciphertext resulting fro plaintext and key changes 16 ABBREVATONS 3* : i ACM ASC DES EBCDC ECB PPS BM MAC NBS MSA Association for Coputing Machinery Aerican standard code for inforation interchange Data encryption standard Extended binary code for data interchange Electronic codebook Federal inforation processing standard nternational Business Machines Message authentication code National Bureau of Standards National Security Agency,.-; ':^ :j^-:^:.i ::i'ld ^^.«;Vfe.-^ia^;V.^. /:^A>/J-:...';^ ::^:^^V.; ' :i'-,' -.:'Sw...;,:;Rfi

6 CHAPTER 1 NTRODUCTON This chapter discusses an evaluator's need to protect data and introduces a software cryptographic approach to data protection, the data encryption standard (DES), an official federal standard recoended for broad classes of protection.^ The DES can be iple.ented on a broad range of coputers, both large and sall. Moreover, after the technical details of ipleentation have been carried out, the encryption ay be used with no further requireent for technical skills. t can be used to protect identities, personal inforation, or any other data that needs to be protected. (Exaples of its use are discussed in chapter 2.) The DES is a cryptographic ethod that is in the public doain. The sensitive data are protected by being ^ cryptographically enciphered. The outcoe of the encipherent depends on the data beinq protected and by a user-selected key, one of approxiately 72 quadrillion choices. The safety of the sensitive data is ensured by the protection of the cryptographic key, generally an easier task than the protection of the original data. NEED TO PROTECT DATA >..':'.K r There are situations when certain types of inforation need to be physically safeguarded fro becoing available to those outside soe designated group. As alost everyone knows, national security inforation ust be protected against accidental disclosure. There is also soe proprietary or otherwise privileged inforation that likewise ust be restricted. GAO evaluators ust be able to provide adequate security and protection to such data if we are to fulfill our pledges of confidentiality. \': " Cryptography renders a essage unintelligible to outsiders by various transforations of sybols used to transit the essage. f ^ The plaintext is the uncoded essage that is to be put into k." secret for. Ciphertext is the transfored (encoded) plaintext, ' (The words encipher, encode, and encrypt are used 'i interchangeably.) A key, or keyword, is a (secret) set of ; sybols (nubers or characters) selected by the user to, :; ^ initialize the encryption and thus generate the protected ciphertext. A block, as used in this paper, is a group of 8 consecutive characters, e.g., " " or "Now is t." The it; standard for the software cryptographic approach discussed in - this paper, DBS, is the following publication: U.S. Departent of Coerce, National Bureau of Standards, Data Encryption * Standard (Washington, D.C; January 1977), federal inforation processing standard (FPS) publication 46, K -- -

7 n addition, we need to consider Privacy Act safeguards. The Privacy Act of 1974 was an attept by Congress to legislate general governentwide standards for the protection of individual privacy by iposing restrictions on the collection, aintenance, use, and disseination of personally identifiable records. This act, as well as any private agreeent an evaluator ay have entered into (e.g.', pledges of confidentiality), spells out the necessity for protecting personal inforation. Although as a legislative agency, GAO is exept fro the Privacy Act, we attept, as a atter of policy, to carry out our responsibilities in a anner consistent with the spirit of the act. n addition, because we frequently use other agencies' privacy systes of records in our work, good practice requires that personal inforation be carefully safeguarded both against public release and inappropriate uses. This paper addresses data encryption as a tool for protecting privacy and confidentiality. METHODS OF PROTECTON Generally speaking, the greatest protection is afforded by ensuring physical security and controlling access to the inforation to be protected, very often in the storage and transittal of secret data, security will be afforded through physical eans such as safes, ared couriers, and shielded transission cables. ndeed, physical protection is still valuable in this age of data processing and electronic counications. When essages are hand-carried, there are no signals to intercept. However, couriers and hand-delivered docuents can generate their own counication probles, e.g., tieliness. A docuent that is hand-carried fro one place to another takes longer to get to its destination than one which is transitted by electronic eans. Electronic transission of inforation, however, pays a price for speed the accessibility of the essage. Anyone with the appropriate receiving equipent can intercept the essage. Data encryption enables users to protect their data by rendering it incoprehensible to any person who is not able to undo the encryption. Generally speaking, cryptography finds ethods to transfor essages (the plaintext) into cryptogras (the ciphertext). Soe encryption ethods are intended only to afford iiited teporal protection. Others, while theoretically vulnerable, in practice offer invulnerable protection. DATA ENCRYPTON STANDARD The data encryption standard specifies an algorith to be ipleented in electronic hardware devices and used for the cryptographic protection of coputer data. t was adopted by the : National Bureau of Standards (NBS) on July 15, As such, the S- DES is a federally approved standard for safeguarding the.. traasission and storage of all data that are not classified t- according to the National Security Act of 1947, as aended, or the ih

8 i ^ j i i ; : :...,:.:.-:...; i nn Atoic Energy Act of 1954, as aended, use of the DES is encouraged by nonfederal governent organizations when such use provides the desired security for coercial and private organizations,2 Very briefly, the DES works by using an enciphering key selected by the user to initialize a pattern of transpositions and substitutions.3 The data to be enciphered are subjected to the transforations and the output of the process is the ciphertext. The DES has a very attractive and useful feature in that (for a U given key) unique inputs will result in unique outputs. Since the \l operation is syetric, this eans that two identical outputs ust have coe fro identical inputs; see, for exaple, table 2.1 on i p.l 16. [ The security provided by the DES algorith is based on the V fact that an unauthorized recipient pf a essage (intercepted) ; ust have the entire key in order to decipher the encrypted data. [; That is, if the interceptor were to attept deciphering the essage using an "alost correct" key, the correct essage would not be recovered fro the encrypted data. This is true even if {; only one of the 56 binary digits in the key is incorrectly i'; : specified. t is an all or nothing syste. 'i:- Ji -. 'i ; 6. 2For exaple, the Federal, Reserve Syste has an active encryption policy for all essages transitted within the syste, in : addition, it is pursuing the use of the authentication ode of ' the DES. That is, all essages sent over the syste will have to P have an authenticator block, even if they are already encrypted. i- (The purpose of an authenticator is to detect essage tapering. Use of an authenticator does not require that the essage'itself K be transitted in enciphered for, nor does it reveal if the j. essage has been intercepted, it does protect against an 1; undetected alteration in the essage.) The Departent of the Treasury, requires that all existing systes that accoplish elec.:ronic fund transfers with the Treasury Departent raust incorporate an authenticator by All new electronic fund ':. transfer systes ust incorporate such an authenticator iediately. For further inforation on this policy, see the ' following docuent: U.S. Departent of the Treasury, Directives f Manual (Washington, D.C: August 16, 1984), policy stateent nuber 8180, ch. TD81, sec , -^The key, which is selected by the person perforing the : encryption, deterines the precise sequence of transforations used in the encryption process. Although any string of sybols, i.e., alphanueric characters, could be used as a key, a properly 'i'.- constructed DES key ust eet a parity constraint. Refer to the i?, ; section entitled "Specification of a DRS Keyword" on page 26 for 1^ ^ an easily followed "cookbook" approach to the construction of a s randoly selected key. - W-'

9 ('<-' The only known way of obtaining the key with certainty is by obtaining atched ciphertext and plaintext and then by exhaustively testing keys by enciphering the known plaintext with each key and coparing tne result with the known ciphertext. n principle, a special purpose coputer could be constructed to perfor these tests sequentially and by so doing, recover the key. However, since 56 independent bits are used in a DES key, 256,such tests are required to guarantee finding a particular key. The expected nuber of tests to recover the correct key is Thus, at one icrosecond per test 1142 years would be required to recover the correct key.4 PES hardware and software Technically, the DES is a hardware standard. That is, the encryption algorith is in accord with the standard only when it is ipleented in a physical electronic circuit. Software applications are not certified applications of the DES. The standard specifically states: "Software ipleentations in general purpose coputers are not in copliance with this standard."5 However, this is iportant only to those individuals or organizations whose policies require the to be in copliance with the official NBS standard, software ipleentations of the DES provide the sae degree of protection to the data after they are encrypted. However, it is very easy to have an incorrect ipleentation. n fact, if the software has et the validation tests, the resulting ciphertext will be identical to that produced by a hardware ipleentation, so long as the sae key and text blocking is used.8 ADVANTAGES AND DSADVANTAGES OF THE DES The DES is increasingly being established as the de facto Aerican nonilitary encryption standard, it will probably be adopted by the nternational Standards Organization. The DES has been subjected to nuerous atteuipts at deciphering over the last ten years and there have been no known ethods of attack developed other than the "brute force" technique of trying all possible keys. li'i? - 1: n 't'f *U.S. Departent of Coerce, National Bureau of Standards, Guidelines for pleenting and using the NBS Data Encryption Standard (Washington, D.C; April 1981), PPS 74, p. 9. 5Data Encryption Standard, p. 2, ^J. Gait, validating the Correctness of Hardware ipleentations of the NBS Data Encryption Standard, U.S. Departent of Coerce, National Bureau of Standards, NBS special publication (Washington, D.C: Septeber 1980). '?.-. * i '. i^-.,.-'u!s ihfrf'i ^ -M iyii-iaaii^igl^j^----^---^-^..->

10 This data protection, however, is dependent on the physical protection of the encryption key. t the key is available, all docuents enciphered with that key are potentially coproised. The uniqueness of the encipherent is alc;o an advantage. The user of the data does not have to worry about two distinct input records having identical enciphered identifiers. f there is a need to go back to the original data base entries, the deciphering leads back to the oriqinal unique identifier. That is, the uniqueness of the identity keys is preserved by the encipherent. At the least, this can ease an analyst's concern over allowing for duplicate identifiers. The DES affords the ability to atch data fro different files while preserving privacy and anonyity so long as the owners of the files (data bases) are willing to share encryption keys or the use of a coon loolc-up table.^ An additional advantage lies in a lessening of the record keeping burden placed on the owner of the population data. The only inforation the data base owner has to retain (and protect) is the key used for the encipherent. f the owner wishes to aintain a list of the records provided, he or she ay do so. However, such a list is not necessary because the enciphered identifier is carried with each record. Any follow-up only requires the decipherent of the identifier, clearly an iproveent over having to use record books to look up the identity of each respondent based on soe arbitrary identifier in the record. This iproved efficiency of record keeping also applies to those cases when it would be useful to draw additional cases frora the file to extend the original saple. The data base owner can just extract a new rando saple of whatever type is required and provide the new (enciphered) saple to the user. The user then has only to reove duplicates and run the analyses. Another advantage of the DBS over anual ethods is its speed. Soe observers feel that the eventual preferred counications syste ay incorporate two encryption systes: the DES for the secure transission of data proper and another type of syste, which will be used only for the key-anageent portion of the transission. ^Even in the case when the data base owners are not willing to share keys, there are strategies that perit the atching of protected data. See, for exaple, R. F. Boruch, "Strategies for Eliciting and Merging Confidential Social Research Data," Policy t:^ Sciences, 3 (1972), There is always a need for sorae aount of trust, even when a "broker" is proposed, but the DES as an official standard can strengthen the case for protected sharing of inforation. iiiiiiiiiiiiiaiiiimi

11 However, in spite of the speed of the DES, encryption does iinpose an overhead burden on a project, albeit not too serious. See appendix for representative equiptient costs. The data to be encrypted ust be laid out and resources obtained to perfor the encryption. A soewhat ore serious potential disadvantage of the DES follows fro its strength. Encrypted data should have soe type of unencrypted backup. That is, the evaluator should not aintain an encrypted file as the only data source. f the key is lost, or the encryption is faulty, the data are truly lost. 11 l- Any software encryption schee is vulnerable to "spoofing," that is, an unauthorized, subtle change to an otherwise correct ipleentation. The result of such a change is that the user thinks encryption is being perfored but, in reality, the protection is only apparent and not real. One way to guard against this possiblity is to incorporate a protection schee into the code ipleentation itself. This would reveal, or prevent/ the attept at tapering., Additionally, a software tool should be totally selfcontained so as to axiize its utility. That is, the potential user should be able to just specify data to be protected and "flip a switch" to perfor the encryption. The ipleentations presented in this paper are not totally self-contained packages in that the source code ust be recopiled each tie before the algorith is used. This is also a strength, however, because it is ore difficult to ake unauthorized and undetected changes to source code than to a copiled achine language progra. This is especially true when the ipleentation ay be validated each tie before it is used in a specific application (see page 30). Finally, there are two areas that need to be entioned in connection with the DES. Neither area affects the use of the DES, per se, but both areas raise related,questions. First, it ay hot be possible to atch files if the owners are unwilling to share soe aount of inforation. Second, there are any open questions about the extent to which personal inforation needs to be either purged or caouflaged to prevent identification through data relationships such as date of birth, city, occupation, and eployer. WHO SHOULD USE THS REPORT This report is intended for use by GAO evaluators and auditors, with assistance fro a Design, Methodology, and Technical Assistance Group (DMTAG) or other technical experts in GAO who are knowledgeable about FORTRAN or "C" prograing. The evaluator should be able to encrypt data fro executive agencies with assistance fro these individuals, along with a description of the data to be encrypted and a copy of this report. 1 ^T:^-'jj^gj- jljij ^ 10 iutmi i?t t

12 A FORTRAN or "C" copiler is necessary for installation of this encryption tool on a coputer ainfrae. t can also be installed on a coputer ainfrae at an executive agency, where the data are encrypted and then stored on a coputer tape. The basic electronic codebook ode ay be applicable when the data to be encrypted are 8 characters long, or fewer; the cipher block chaining ode ay be appropriate for encryption of entire files or any data that are ore than 8 characters in length. The data encryption standard used in this software tool is not appropriate for systes of "classified national security inforation" as well as "other sensitive, but unclassified inforation, the loss of which could adversely affect the national security interest," as stated in national security decision directive (NSDD) 145. Military data, classified data, and other inforation related to the national security interest ust be encrypted and protected using eans other than those provided in this transfer paper. The GAO uses of the data encryption standard could include, for exaple, privacy data and "sensitive, but unclassified" data such as Social Security nubers, internal Revenue Service files, health care services evaluation ^. \; inforation, and pension and retireent data. 1 i-.-i.: s^::.i:!!.i;;-:.v:': i felftk. s :' 1!:-t. te- Wi':. :i KJ^-'-'-'itaS THE ORGANZATON OF THS PAPER Chapter 1 of this paper discusses the need to protect data and introduces the data encryption standard (DES), one of the official standards adopted under the provisions of public law (Brooks Act) and under part 6 of title 15, Code of Federal Regulations. Chapter 2 discusses uses of the DES in protecting data in various settings and in erging data obtained fro different sources. Such uses are illustrated by the use of the DSS in a GAO study that dealt with personnel records of senior officers in the U.S. Marine Corps. :?; Chapter 3 presents for a technical audience, such as a '^f^ headquarters DMTAG or a regional TAG, a technical overview and p^-:' discussion of a software encryption progra that siulates the l^f: hardware operation of the DES. The chapter also presents a siple ethod for the rando selection of a keyword to be used by the encryption progra. Appendix contains detailed listings and flowcharts of the FORTRAN progra used to validate the perforance of the syste that is perforing the DES encryption. Appendix presents exaples of several short ain prograras. These would be substituted in place of the validation tests to produce custoized encryption progras that ight be used in GAO evaluations. - ' -11 feii-a^:;; -r-^--f"i-"--i !'-,,,,,,^,^,,,^^^^^,^,,^^^^,g^,,,l,i,g g j ij j

13 Appendix ili contains a detailed listing of a DES progra written in C language. This progra would be used to perfor file encryption for storage or transission. Appendix V briefly entions other eans of perforing data encryption. Appendix v discusses recent developents in data encryption and the anticipated eergence of new hardware encryption device designed by the National Security Agency for national security inforation. Following appendix v are the bibliography and the glossary. M- - ll '$' - s;3i ^. is,' ':ii l'l-'' K k P -7...,'A-i',;>-1,i'^'--.*v?yK'ii:^ :v- '.-.:-:. te.... ;.. : ' :i.--;.--.i;-;ii3 :^i ii^?: ' r-fii:

14 r r. :S''::.- i «. ;.r.-. S'l.... j.ip- - -t'l'.. CHAPTER 2 USES OF THE DATA ENCRYPTON STANDARD This chapter begins by discussing DES odes of operation and then goes on to consider the following uses of the DES as a ethod of cryptographic data protection: Protection of personal identifiers to ensure privacy. Protection of sensitive data during electronic transission. Protection of sensitive data in coputer files, Ensuring the confidentiality of data. ^^Ensuring against unauthorized changes to data (essage authentication). Merging personal data fro different sources. Ensuring the confidentiality of data and erging personal data fro different sources have, we believe, the greatest potential benefit to GAO. Our capacity to ensure confidentiality should \Bf facilitate obtaining sensitive and potentially restricted data in l^j GAO evaluations. Being able to erge data fro different sources ji; eans we can enhance the potential of those data we do obtain. '^l Future opportunities will exist to ake use of the DES in t GAO. For exaple, agencies such as the nternal Revenue Service, the Social Security Adinistration, the'office of Personnel %:. Manageent, and the Departent of Defense personnel units ight be ii^ ore willing to release data if the DES is used to encrypt all appropriate personal inforation. f two of these groups elected to share a DES key, the GAO evaluator would be able to obtain a "blind" atching saple fro, say, the Social Security Adinistration and the Office of Per Sonne1 Managee n t. MODES OF OPERATON ; The DBS has four distinct odes of operation which specify i how data will be encrypted and decrypted. The odes are the ff;.. electronic codebook ode, the cipher block chaining ode, the : ^ cipher feedback ode, and the output feedback ode.1 Basically, ^'. ' <»., : :.<*':. a. if: lu.s. Departent of Coerce, National Bureau of standards, DES Modes of Operation (Washington, D.C: Deceber 1980), PPS 81 13

15 they involve differences in how the encryption algorith will be propagated between subsequent pieces of data. The greater part of this paper addresses the electronic codebook ode, a ode that was tested and used by GAO in a coparatively easy to apply FORTRAN software ipleentation. The cipher feedback and output feedback odes are not discussed in this paper. Electronic codebook ode n the electronic codebook ode, each block of inforation is enciphered independently of the result of the previous block's encipherent. That is, given the sae key, the word "evaluate" will be identically encrypted wherever it occurs. This ode is well suited to the encryption of naes or nubers that serve as individual identifiers. A Social Security nuber that is used to J?. identify an individual occurs only in the context of an '-'-y i; identifier, it is part of a larger record, but it has a separate j;; existence. t is worth pointing out, however, that in ters of iv : cryptographic security this is the weakest of the DES operating <;.. odes,?-; Cipher block chaining ;.' The paper also provides a listing of a DES progra written in the C language. The greater speed of c, as copared to FORTRAN, f akes this version of the DES algorith better suited for fit; - ipleenting the cipher block chaining (CBC) ode. As the nae BV '' suggests, this ode feeds, or "chains," the output of each block encipherent into the algorith for the next block. Thus the code text for a given clear text block depends on both the key and the preceding block. fv: n particular if one set of two blocks was "PROGRAM," "ANALYSS," and a second set was "SPECAL," "ANALYSS," the word l': "ANALYSS" would have two different cipher text j, representations even using the sae key. This is because the J;. first set used "PROGRAM," which influenced the encryption, while f' the second set used the block "SPECAL." This ode is particularly well suited to the encryption of entire records or files. The unit of encryption is in, a sense, jo; ;: the entire file. Two files will be identically encrypted by a?f : single key only if they are identical files. it is tie, however, that two records which start with the sae data, will be f:j enciphered identically so long as the clear text is the sae. Two essages which are the sae at the end are enciphered into different ciphertext. See appendix for a listing of the C ",/'.-: progra. Kf.-. r; V:V f an evaluator were enciphering an entire list of identifiers this ight be the ethod of choice. Por individual Social Security ebers it should provide the sae ciphertext as the electronic codebook ode. That is, if there is no second block, there is no chaining to take place. h. 14 M:. Wi^:.' > : ^- ^-i-;:

16 The workings of the DES algorith in the electronic codebook and cipher block chaining odes are illustrated in figures 2.1 and 2.2. in the left-hand colann, a user has a essage to protect (the plaintext). The plaintext is structured into an input block and fed into the DES algorith together with a user-selected keyword. The encryption process transfors the input block into an output block, which, when written out, becoes the ciphertext. The decryption process is an identical process. The ciphertext is foratted into an input block and passed :to the DES decryption algorith. There it is decrypted and processed into an output block which becoes the (recovered) plaintext. in addition, figure 2.2 illustrates the chaining process. M': l-.->t::. i-..kgfrfi -. p:- 't-iir;.' - Figure 2.1: OES Algortth (Electronic Codebook Mode) ^^^:: DES\ OeCryD ^.'.JS. i & -- i^i ' f -..1?- ifi-. - 1":-^ i-.'a'; '.'^i^.. i;:?:. C>Dnene>i 'M-".' i" Figure 2.2: DES Algorith (Cipher Block Chaining Mode) H Pia-nie«i i ^^^ DES Encrypi / Keywwa.DES Dec'ypt :i:^ -'S'' ;:Sj., <- ^^J Ai'- - -V Ciqtierte»i / C'phenext 15 -::^t: i'4fi^:'^i:^n:^^i:.m::^y:^i '!;-^';\y^.ii':%:?-^:yf-.::^%i. >>!.,...;;i3 iiiiiiii

17 ; - ' ; ; - :. -. ' : ' Much of the power of the DES algorith is its ability to caouflage (i.e., protect) data coupled with its siplicity of use. This power is illustrated in table 2.1. Notice how two nearly identical Social Security nubers are changed into very different ciphertext by the sae key (the,coluns of the table) Also note how two nearly identical keys will encipher the sae identifier into very different ciphertext (rows 1 and 2). Table 2.1 changes in Ciphertext Resulting Fro Plaintext and Key Changes Social Security nuber Key 1 ( FEDCAB08) Key 2 ( FEDCAB08) AEA6E716F AE426AD25F7987F E4FDC5EEBFFF0D6 FD2DF378DB55208C PROTECTON OF SENSTVE DATA All agencies have data that they wish to protect against unauthorized access and disclosure. GAO is no different, in soe cases the inforation to be protected consists of entire docuents, while in others it suffices to protect only certain pieces of inforraation within each docuent.3 The aount of protection will necessarily vary with the perceived sensitivity of the inforation. n order to decide on the aount of protection to provide, these questions ust be addressed: 1. s it necessary to retain the original docuent? 2, HOW uch inforation ust be protected in each docuent? 2The keys and ciphertext are written in hexadecial notation. atheatical anipulations of the DES lead to the use of hexadecial nubers. See page 28 for a table of binary-hexadecial-decial equivalents, The ^Because of restrictions on use of the DES, this discussion does not apply to aterials classified under either the National Security Act of 1947, as aended, or the Atoic Energy Act of 1954, as aended. Obviously, the DES also does not apply if the inforation to be protected is the original paper dpcuent. Thus it is assued in what follows that it is not iportant to save original docuents. That is, only the inforation is iportant,: not what it is recorded on; : i:;:,:. 16 :

18 '-'.1,' i^ '3: - s. 3. Why is the docuent being enciphered? Five exaples of particular interest to GAO are suarized next. protection of personal files for privacy purposes The cryptographic counity refers to the "privacy proble" in a technical sense as preventing an opponent fro extracting inforation fro a counication channel. f the concept of a counication channel is extended to include personal inforation in a folder filed in a cabinet or personal inforation in a coputerized syste of records, it will also apply to what ost people consider to be the priary privacy concern that inforation collected on the is only used for the purposes that they are officially aware of and is not diverted to other uses; (Note that this includes unauthorized access as a special case.) Again, it is assued that inforraation is to be protected, not physical docuents as such. in the siplest application, a given record (docuent) has only the nae (or possibly the Social Security nuber) of the individual to be protected. That is, it is assued there are no additional identifiers (or cobinations of identifiers) that could reveal the identity of the individual to soeone who had access to that record in the file, in this case, the DES can be used to protect identity by enciphering the personal identifier either nae or nueric After the encipherent, the record has the sae inforation content as before, but the individual's identity is only available to those who can decipher the "scrabled" identifier. Again, unique identifiers in the original record (plaintext) becoe unique identifiers in the enciphered record (ciphertext). hn application of this type, with only a liited aount of inforation to protect, is well su,ited to the use of a coputer software routine such as that illustrated in appendix i to provide the encipherent. As the aount of data to be protected increases, the hardware ipleentations of the DES becoe ore attractive. The speed of encipherent is very high so that is feasible to encipher all the data in the docuent.4 The ain attractiveness of the DES for privacy protection lies iri its very siplicity. Records could always be protected! by stripping out personal identifiers and replacing the with, for: ' exaple, an index nuber. However, the list of index nubers ust be physically protected and.ight be a quite large docuent. f!;...f H- - S :^i- 4ntegrated circuits that could encipher over 250,000 characlifsirs: per second were in use by BM in P.'-'-'ii.' 17 &,^5'-.f'. s0ii^^. r^ ^- - -' '.'i.m'v'w'^^^^^^m

19 two or ore groups are to share access to the protected records, the indices ust also be shared. This iposes certain adinistrative burdens on all concerned. Using encipherent for i protection still requires physical protection of the key, but it 1 is uch sipler to protect a single 8- or 16-character key than an entire index docuent. n order for two parties to share access to the data, only the key need be shared,5 Transission of data between audit staffs The protection of data during transission is one of the» i tasks for which the DES was originally intended. Depending on the volue of infpration to be protected, a software or hardware ipleentation of the DES could be used, if the total aount of ; inforation to be transitted were sall, then a software W;. ipleentation could be reasonable. t is the total aount of. Hi; inforation to be protected that is relevant, not how uch is on :; ^1,, each docuent. There are a nuber of anufacturers who can supply j "black boxes'' to encipher all data that flow through the. The i '&; user need only select an operating ode and the key to be used. : p* There are also software packages available that will encipher a! ;r; coputer data file. The enciphered file could then be transitted \ sf electronically in protected for to its destination. W' ' ' ' -' i 0'^ As stated earlier in this paper, national security i i^ (classified) inforation should not be transitted using the DES, f j;if but alost anything else is a possible candidate. A prie } l^fj candidate is "sensitive" inforation that is needed quickly. For.j ;;; exaple, a revision of a chapter tn a draft report could be 1 jmii:: enciphered and transitted so long as there were soe procedure j j^r for coordinating the key. (t should be possible to set up a key p" schedule at the start of a job, and just change the keys used, 1 ^J say, on the first of each onth.) Proprietary data obtained fro i ii; contractors is also a good candidate for protection. f the data M: ' -.if :. > i 5A "weakness" of all single-key encipherent systes is that the f, key ust be shared (and protected) by all parties who need access to the deciphered data. This is not really a proble when a large nuber of parties require equal access, it can be a proble if there are a large nuber of parties who only share in :^:j fj; pairs, because each pair needs a separate key. An approach ^^ called public-key cryptosystes addresses the concern of key 'i i^ train-craissioh and the ore general proble of essage % authentication, see, for exaple, D. Chau, "Security Without dentification: Transaction Systes to Make Big Brother W?. Obsolete," Counications of the ACM, vol. 28:10 (October 1985), ^i ^~ - - " - - ' : : :. ' -'A^vf^. ' M ; [ :.Si-y^-i&:^...!;^

20 were needed for, say, responding to agency coents, there would be a preiu on its rapid receipt. Personal inforation or budgetary data could likewise be protected in transission by eans of the DES. As in the earlier discussion of personal inforation the aount of inforation to be protected is dependent on its sensitivity. At one extree, only personal identifiers need be enciphered; at the other, the entire docuent. i Transission of data between user and coputer coplex n a like anner, data to be transitted between a coputer v' user and a central coputer coplex could be enciphered for protection. At the least, this would protect the data in transit. f the raw data were not deciphered at the central :; site, any attept at analysis would be futile. Protection at the. ain coputer, per se, is ore difficult because of the need to V; have the key available to the central coputer. Even though different data ites would still be distinct, there would be no etric that could transfer fro the ciphertext to the plaintext. The only easure that could be calculated would be the ode (if it existed). The actual transission would ost likely be accoplished by eans of a specialized counication device that incorporated the L- DES as an electronic icrocircuit, for exaple, a special circuit i- board added to a icrocoputer. Data would go through the encryption circuit before being transitted by the icrocoputers. Such a device could work in concert with a siilar unit at the central site, thereby preserving data i; integrity during transission. 'f. i Storage of sensitive inforation in coputer files ; The DES can be used to encipher data files that are to be? stored in a coputer. The storage ediu can be peranent as in : ] " disk packs on a central coputer or hard disks on a icrocoputer, y.': or it can be reovable as in floppy disks and tape drives. n f. peranent storage edia protection will de.end on keeping the key f) ; separate fro the data and aking use of t.e key only when 'i actually aking use of the data. That is, the data are generally aintained in '.:heir enciphered for. They are deciphered only C when they are actually being used, and are then re-enciphered. V " ',; An alternative to the coplete encipher and decipher cycle j;^;' each tie the data are accessed would be to attach a "reverse state" index to each record. That is, select the key that will be %. used to encipher the data and use it to "decipher" a set of '^.- indices that are, in fact, already plaintext. These ciphertext ^ : indices are then attached to the appropriate records. Because of ir : the syetry of the DES, when the file is enciphered these ii:: ^:,:^if i&::.:;;^i^h2,a:^;^is^^^ ^r^g^:,..,. :-;....Li...'...:::..:.:X...:.}..i...'.}.;,.z.^ :.- -.i.vo".: ^^^;^:}^vi-:^:^l jgf^-:.':.^viii4kl 19

21 ciphertext indices will revert to readable plaintext.6 This, in a sense, is close to the best of all possible worlds. The data file is protected by the DES while, at the sae tie, it contains a plaintext index that can be used for record location and retrieval. n this way, only the record(s) being retrieved need to be deciphered and the associated overhead is substantially reduced. Message authenticator The DES has an additional application, that of data, o-c essage, authenticator. According to FPS 81, "A Mf^ssage Authentication Code (MAC) is generated (coputed) as a cryptographic function of the essage (data). The MAC is then stored or transitted with the data. Only those knowing the secret key can recopute the MAC for the received essage and verify that the essage has not been odified by coparing the coputed MAC with the stored or transitted MAC An unauthorized recipient of the data who does not possess the key cannot odify the data and generate a new MAC to correspond with the odified data. This technique is useful in applications which require aintaining data integrity but which do not require protecting the data frora disclosure. For exaple, coputer progras ay be stored in plain text for with a coputed MAC appended to the progra file. The progra ay be read and executed without decryption. However, when the. integrity of the progra is questioned, a M.AC can be coputed on the progra file and copared with the one stored in the file. f the two MAC's are identical and the cryptographic key used to gent?rate the MAC has been protected, then the progra file has not been odified."7 ^This exploits the property of the DES that the encipher and decipher operations are foral inverses of each Jtt^er. Given this sae key, deciphering is accoplished by running the ciphertext through the algorith starting at what was the last transforation and ending with what was the first transforation when the plaintext was enciphered. ' *'': - "^DES Modes of Operation, p, 24, The essage authentication code is also referred to as a data authentication code. This use is further defined in U.S. Departent of Coerce, National Bureau of Standards, Coputer Data Authentication (Washington, D.C: May 1985), FPS ^h;is^^im:^i}^^^im^. <. *i^i..^t'^^-a. iiiiiii

22 < -.-: A very iportant use of the MAC is verifying the correctness of enciphered binary data, or ore generally, any nueric data. Suppose, for exaple, binary data (a coputer data file, say) are encrypted and soehow a block is garbled, when the garbled block is decrypted, the outcoe will be garbled data but it will not readily be recognized as being in error after all, it will still be a binary pattern. f, however, a MAC is used, you will at least know that a garble has occurred and are warned that there is a proble with the data, MERGNG DATA PROM DFFERENT SOURCES 'k\ k..- - «. 1^ '& %: '.it : i': t is frequently the case that two different data sources have inforation on a coon population. The degree of overlap varies widely and is a property of the data sources. That is, the researcher ay be able to select the data sources, but he or she will have to accept the structure and inforation content of each data base. n soe cases, one data set could be a subset of the other. For exaple, one file ight contain death certificates fro all- causes of death for a given region and a second file ight contain records of clais filed under workan's copensation. While one would not expect all clais to be atched with death certificates, there is soe expectation that a portion of the naes in the clai file will atch with the death data. n other cases, the population ight be nearly the sae in the two files, but the inforation collected could be quite different. Two illustrations of this application follow. Woen, nfants, and Children (WC) study n a 1979 GAO study of the WC progra, the aternal health records were aintained by one progra office, the faily data by another.8 The two offices did not have a coon file. Because the data were considered privileged edical inforation i.e., not releasable GAO was unable to obtain records in a for that would perit the to be linked and analyzed. f the DES had been available at that tie, and if the two offices were willing to share use of an encryption key or a lookup table, identifiers could have been encrypted and used to link records fro the different offices, thus building a uch richer data base for analysis. That is, given the two sets of data linked through the enciphered identity of the other, it ight w K!': ^GAO (U.S. General Accounting Office), The Special Suppleental Food Proqra for woen, infants, and Children (WiC): How Can t work Better?, CED (Washington. p.c; February 1979). "3" 21» ll^jsii^^^^ji^ti :i;,:^rf.aua.ify;jviiau^'xii;a;t!^v4;j:ai;.^i-;^i^b:.. ii.:.^-:^sm3i^h!i.:

23 if; Si. : il fe: a Tin.r l- r3i? have been possible to draw statistical conclusions about infant and aternal health using variables fro the different files, in particular, the evaluators ight have been able to reach conclusions that could not be reached fro inforation contained within one single file and that could not be established without the several variables being positively linked through a specific individual. Although at the tie of this study a tool such as the DES was not available, there was a clear requireent for a ethod that could be used to perfor such linkages. U.S. Marine Corps study The 1984 GAO study of the quality of retained senior Marine Corps Officers involved adinistrative data in the Marine Corps headquarters aster file and perforance records fro their autoated fitness reporting syste.^ The Marine Corps adinistrative archive contained a variety of adinistrative inforation on all Marines. Data ites included an identifier (Social Security nuber), personal inforation such as race and arital status, and professional inforation such ais acadeic degrees and ilitary occupational specialties. t did not contain the records of the perforance evaluations that Marines received throughout their careers. The perforance records, or fitness reports, were aintained separately and had perforance evaluation inforation for each Marine. Data ites included Social Security nuber, job title, nae of the unit through which reports are filed, and assessents of the perforance of ites such as regular duties, handling officers, tactical handling of troops, personal appearance, presence of raind, and growth potential, as well as general value to the service. These two data bases were aintained by separate offices. nforation fro thera was joined together only for the confidential use of prootion boards. GAO's study needed inforation fro both data sources in order to derive and validate a etric of "quality." The Marine Corps was concerned about both privacy and confidentiality. The Corps felt that even though GAO was exept fro the requireents of the Privacy Act of 1974, notification that data were provided to GAO would still have to be placed in the personnel files of all officers about who data were given to GAO. in addition, the perforance data are very closely held. An individual Marine ay request a copy of his or her own file and turn the inforation over to whoraever he or she wishes, but a second party ay not receive copies of the perforance rating directly. 3t"-'- P k-jif'ti ^s g j ^i^ ^M ky^^ ^GAO (U.S. General Acco-tating Office), High-Quality Senior Marine Corps Officers: How Many Stay Beyond 20 Years of Service?, GAO/PEMD-85-1 (Washington, D.C: Noveber 1984). 22 Tyi-.C;-.'.^^,^:i.l>'-'.i^\i7.*~''i--':^.-Jir wik i :'i

24 This was another exaple of a requireent to be able to atch data fro different sources. The difference between the previously cited WC study and this one was that by this tie the DES had becoe available. Personnel at the National Bureau of Standards provided GAO with a coputer progra ipleenting the DES algorith. After odifications to obtain the speicific tool needed to eet the requireent at hand, GAO extensively tested and reverrfied the validation of the software to perfor the DES encryption. ; GAO docuented the official status of the DES and provided a FORTRAN coputer progra incorporating the DRS algorith to the 'j Marine Corps. The Marine Corps personnel staff felt that use of the DES in the anner outlined by GAO would be sufficient to iff address their concerns about privacy and confidentiality. GAO guided the Marine Corps staff responsible for the ;: ; adinistrative file in the use of GAO's DES coputer package to ';.; encode each officer's Social Security nuber. This encoded nuber il replaced the actual nuber in the adinistrative records furnished il ' to GAO. That office then provided the paired social Security and ill"'... enciphered nubers to the staff aintaining the perforance data. They siilarly stripped out personal identifiers and substituted the enciphered identifiers. Thus they were able to provide GAO with actual but anonyous records. s i ;5ji ; while preserving privacy and confidentiality, the DES encoding was useful also in "data cleaning." That is, when there Ai ji' was a proble with apparently inconsistent data, GAO was able to fl, ask the Marine Corps to decode the nubers used as identifiers, $:". track down the original inforation, and correct the data. Ml j'a!.- : n; ff My.' i p; 1^ 'M :"' p. '- n:- v-% 23 i?:,.. : -;. ' - :: B;i:^:i:!i!J^':i^^i!>3::in-;.. ( ^--liti^ii'-^ij'j '... >^^^jj MiiMdJiiMMi