Background on Encryption Algorithms
Encrypting information to ensure it can only be read by authorized parties is a concept that has been applied throughout history and has become a crucial part of today’s information technology and security. Most algorithms take an arbitrary string of characters, called a key, and use it, along with another algorithm, called a hash function, to transform a message into a seemingly random string. Larger key sizes correspond to more secure encryption, with sizes between 128 and 256 bits generally being used in modern applications.
Cryptographic keys are generally created through a secure random number generation algorithm, which receives its primary data from some non-deterministic source to output numerical data. This approach ensures that the output is as close to true randomness as possible, while regular computer random number generation algorithms use more predictable sources, such as the system clock, as input. Finally, symmetric encryption algorithms use a single key for both encryption and decryption (Manico & Detlefsen, 2014). Asymmetric algorithms use different keys for encryption (public key) and decryption (private key), thus allowing users to receive encrypted messages without exposing a means of decrypting them (Manico & Detlefsen, 2014). Modern encryption algorithms are sufficiently secure to be infeasible to defeat without access to the key; while theoretically possible, it would require more than a human’s lifetime to do with the most advanced hardware. Vulnerabilities can allow unauthorized decryption in a sufficiently short time to be feasible. The algorithms currently in use as standard have no known vulnerabilities.
Encryption Algorithm Recommendation
The choice of an encryption algorithm for long-term file storage involves certain security considerations. Archival does not imply transferal or modification of files; encryption will be applied to files to prevent unauthorized parties from accessing their contents. This data may have to be read at an unknown future date, meaning that the encryption should be fully reversible. Besides unauthorized access, this reversibility presents another potential risk: unauthorized alterations to the archived files. To mitigate this threat, encrypted files should be signed, making it obvious if they were changed between their initial encryption and later access (Manico & Detlefsen, 2014). Since the enciphered data does not need to be transferred or used by an entity other than Artemis Financial, there is no need to use an asymmetric algorithm.
Current government regulations primarily require that confidential information is secure without mandating the use of specific measures. Encryption, if not explicitly required by regulation, is often listed as a suggested solution to data security. Examples of such legislation are the Federal Trade Commission’s Standards for Safeguarding Customer Information and the European Union’s General Data Protection Regulation (European Union Agency for Fundamental Rights and Council of Europe, 2018) Federal Trade Commission, 2019). By encrypting its archives, Artemis Financial complies with such regulations.
Based on these considerations, the advanced encryption standard (AES) is the best option. It is the generally accepted standard, meaning that if a vulnerability is discovered, it will be publicized quickly. AES is a symmetric algorithm, meaning that the same cryptographic key is used for enciphering and deciphering data. Although symmetric algorithms can be viewed as less secure than asymmetric ones, it is not a critical difference when the encrypted data is not intended for transfer. Symmetric algorithms are faster than asymmetric ones, but this difference is not relevant for archival. Similarly, while a key size of 128 bits makes the time required to crack AES infeasible, larger keys can be used as a form of future-proofing at the expense of longer encryption and decryption times.
References
European Union Agency for Fundamental Rights and Council of Europe (2018). Handbook on European data protection law.
Federal Trade Commission (2019). Standards for safeguarding customer information. Federal Register, 84(65).
Manico, J., & Detlefsen, A. (2014). Iron-Clad Java. Oracle Press.