Editorials

One Way Hash

by Ben Taylor

I’ve had the opportunity to work on private data once again. Every time this comes around we ask a few questions to help determine the best approach for handling sensitive data. We’re assuming that the data will be encrypted. But encryption has many options.

  • How soon can we perform encryption?
  • Is there a reasonable value that can be used for salting the encrypted data?
  • Do you require decryption?

In a perfect world, the most protection is available if the answer is no for decryption. Using one way encryption you cannot humanly compare the data. However, you can compare encrypted values. So, if the source of the original data provides the data again, you should be able to encrypt a new value and produce the same data, which can be compared to your stored value. This is often referred to as a one way hash.

Salting is a common technique used to slow down hackers by making encryption a little more complicated. When you encrypt two instances of the same value, if a different salt can be used for each instance, then when it is encrypted, the same data produces two different values. Technically, the encrypted values are different.

Real world scenarios work differently when you use a one way hash. Take a typically banking question from the ‘70s. A frequent question was, “what is your Mother’s maiden name?” The value was kept on file in clear text. Using a modern one way hash, the maiden name would be salted with a value unique to the bank account holder. Then it would be encrypted using a one way hash. When a customer needs to provide a key to their data, the same encryption process is repeated. Then the encrypted values are compared for validation. Unless the customer can provide their Mother’s maiden name, they cannot be validated.

What makes one way encryption more complicated is that it works on a binary level. So, the input value is case sensitive. This needs to be taken into account. A good practice is to convert the whole string to upper or lower case before encryption.

While there are difficulties with one way encryption, it provides added protection to yourself and your employees. For example, a Social Security Number should be known to an individual. But, your employees or someone getting a backup from your database do not have the ability to quickly decrypt values.

No encryption technique is foolproof anymore. Currently the one way hash is the closest implementation we have in a commercial environment.

Cheers,

Ben

Tags:
Author: Ben TaylorBen is a Relational Database veteran starting in the early eighties on DEC Vax database systems such as Bloom and Harvest. He has specialized in SQL engines for more than two decades, with a primary focus on Microsoft SQL Server. Ben has worked with small and large databases for both OLAP and OLTP working on systems for many industries such as Medical (Medical Claims and Eligibility Warehouse, HMO Provider Management, Enrollment), Financial (credit card processing, mortgage, stock portfolio management), Manufacturing (Assembly Line and Product Assemblies), Sales, Auto Auctions and more.