New Technique Eases Encryption for DatabasesMarch 20, 2008 – 5:17 AM
Voltage Security offers to make deploying encryption at the database level less painful with a technique called Format-Preserving Encryption.
Shocking the encryption market is not easy to do, but officials at Voltage Security must hope their new approach to encryption will do exactly that.
The company’s flagship SecureData product uses a cryptographic technique Voltage Security calls Format-Preserving Encryption. SecureData was first released to the public in fall of 2007, though the company waited until now to speak about it publicly.
The overall aim of the approach is to ease the process of encrypting databases. Unlike traditional algorithms that expand data into binary fields, Format-Preserving Encryption, or FPE, allows encrypted data to keep its original format on a character-by-character basis, so that the data fits in existing fields and there is no need for database schema changes. It also preserves referential integrity, which enables encryption of foreign and indexed keys and ensures internal consistency in masked data, company officials said.
With other approaches to encryption, a nine-digit Social Security number or a 16-digit credit card number, when encrypted using regular AES, produces binary blocks of data much larger than nine or 16 digits. Longer strings require changes to the database size, which means database schema changes.
“The encrypted data can be stored in place, without any database schema changes, and all to the same strength as 256-bit AES [Advanced Encryption Standard],” said Mark Bower, director of information protection solutions at Voltage Security. “Any information thief would assume they are accessing the actual, correct numbers. However, obtaining this data will yield them nothing.”
Implementing FPE also eliminates the cost and effort of dealing with applications affected by schema changes, Bower said.
“If you look at the data privacy problem, data resides across all manner of systems—some more than 25 years old,” Bower said. “So legacy applications that may contain highly sensitive customer data can now accommodate encryption where before it was impossible; it’s not often possible to change database schemas if the legacy application expects a particular rigid schema—the applications break.”
Forrester Research analyst Paul Stamp said the firm’s approach removes a layer of complexity from the database encryption process.
“It can also make it easier to ship production data into a test environment, which is a big deal for maintaining security in the troubleshooting process,” Stamp said.