본문바로가기

PR

Provides the latest information on Sinsiway
and a variety of IT/security information.





What is Encryption? Encryption is the process of converting the plain text into an alternative through specific algorithms or methods. This technology blocks unauthorized persons’ access to important information by converting such information into illegible values. Encryption is a generic technology that directly protects significant information in terms of security.

Original data to be protected through encryption is called plain text and the encrypted text is called cipher text. This process is called encryption. The conversion of encrypted data into the plain text again is called decryption.


One-Way and Two-Way Encryption


Encryption can be largely divided into one-way and two-way encryption algorithms. In a one-way algorithm, only the encryption is possible and decryption is not possible, whereas a two-way algorithm can decrypt cipher text. Two-way encryption can be divided into symmetric-key encryption and asymmetric-key encryption.



Symmetric-Key Encryption

Symmetric-key encryption is a

lso called secret key encryption, in which the same encryption key is used for both encryption and decryption. In symmetric-key encryption, data is encrypted and decrypted with the secret key. Although the symmetric-key encryption boasts fast computing speeds thanks to its simple internal structure, it is difficult to manage numerous keys when exchanging information between multiple people since the sender and receiver should share the identical key. Representative symmetric-key encryption algorithms include DES, 3DES, and AES.



Types of Symmetric-Key Encryption Algorithms


The Data Encryption Standard (DES) is a symmetric-key algorithm that was developed at IBM in 1975 and designated as a national standard encryption algorithm by the NIST in 1979. It divides plain text into 64 bits and creates cipher text of 64 bits again by using a 56-bit key. 3DES algorithm is the Triple Data Encryption Algorithm, which applies the DES cipher algorithm three times. However, the DES is vulnerable to brute force since it uses 56-bit key size. To replace it, the AES appeared as its alternative algorithm.

The Advanced Encryption Standard (AES) was adopted since it complies with the selection standards of the U.S. NIST: safety, costs, and implementation efficiency. The AES is being widely used all over the world because of its outstanding safety and speed.



Asymmetric-Key Encryption


Asymmetric-key encryption is also called public-key encryption. Unlike symmetric-key encryption, different keys are used for encryption and decryption, respectively. In public-key encryption, complicated math operations are used for encryption and decryption. Therefore, its efficiency may be lower than symmetric-key encryption. However it is easier to manage the keys even when there is a large number of users, since multiple senders perform encryption with one public key. Representative algorithms include RSA, EIGamal, and ECC.



One-Way Encryption


One-way encryption literally means encrypting plain text in one direction. It is possible to encrypt plain text into cipher text, but not possible to decrypt the cipher text into plain text. Hash functions are generally used for one-way encryption.

A hash is a function that produces fixed-sized hash values from an input text of any size. Even though the input sizes are different, the outputs are converted into a fixed size. Since encryption keys are not used, an identical output is guaranteed from an identical input. Representative hash functions include MD5, SHA-1, SHA-2, and SHA.

MD5 (Message-Digest algorithm5) produces a 128-bit hash value with no limit in the length of input messages. MD5 can be used for data integrity verification which identifies whether a program or a file is original as it is.

SHA (Secure Hash Algorithm) was designed to improve the vulnerabilities of MD5. A SHA was first designed by the National Security Agency (NSA) in 1993 and was designated as an American national standard. SHA-256, one of Secure Hash Algorithms 2, is a standard hash algorithm published by the National Institute of Standards and Technology (NIST). It is widely used for blockchains and evaluated to be safe.



Why Should Personal Information Be Encrypted?


The term “personal information controller” means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files as part of its activities.
Personal information controllers should take security action to prevent personal information from being divulged, exposed, or forged for safe storage when the information of other persons is utilized. The Personal Information Protection Act and the Credit Information Use and Protection Act stipulate personal information controllers’ obligations in relation to the necessity of personal information encryption as follows.

Article 24 of the Personal Information Protection Act

(3) Where a personal information controller processes personally identifiable information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged.


Article 28-4 of the Personal Information Protection Act

(1) When processing the pseudonymized information, a personal information controller shall take such technical, organizational and physical measures as separately storing and managing additional information needed for restoration to the original state, as may be necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.


Article 7 of the Standards for Measures to Secure Safety of Personal Data

(1) A personal data controller shall encrypt and save personally identifiable information, passwords, and biometrics information when transmitting and receiving via a telecommunications network or sending via external memory.


Article 17 of the Credit Information Use and Protection Act

(4) In providing any personal credit information to an agent in order to outsource the processing of credit information under paragraph (2), a credit information company, etc. shall take measures to protect information by which a particular owner of credit information can be identified, such as encryption, as prescribed by Presidential Decree.




The Personal Information Protection Act and the Credit Information Use and Protection Act differently define personal information encryption targets. It is divided depending on the storage and transmission of personal information.




Nowadays, personal information is being utilized as significant data in all industries as well as big data, IoT, and AI technologies. Individuals and enterprises should pay attention to security when utilizing the personal information of others. In particular, enterprises handling a huge amount of personal information need to encrypt such information.




Source & Reference

KISA Encryption Promotion Website

PIPC and KISA, Personal Information Encryption Guide