Encryption - Pseudonymization

Intro

The scope of this section is to introduce the reader to the technical countermeasures that can be adopted to protect the personal data and thus satisfy the main data protection principles. The results and benefits, in terms of data protection, of various different techniques will be presented. Furthermore, depending on the objectives of each stakeholder (implying the privacy requirements that aims to fulfil) alternative ways for applying/implementing each technique are presented.
At the end of the study, the reader is expected to:
  • Understand the notion, uses and benefits of encryption and the differences between symmetric and asymmetric encryption.

  • Able to use hash functions and digital signatures for pseudonymization, identity verification and integrity checks.

  • Able to use PGP / IP-SEC /VPNs for protecting personal data in transit.

  • Understand the difference between anonymization and pseudonymization and in which cases each one will be useful.

  • Know how a data set can be anonymized or pseudonymized.

1. Symmetric Encryption

Key messages

  • Symmetric Encryption is an efficient way to protect the confidentiality of data at rest or/and in transit.

  • The involved parties should consider the “key management” problem, or in other words how the encryption/decryption key will be distributed among them.

  • Several different methods (stream ciphers, block ciphers) and algorithms (DES, 3DES, AES) can be adopted for the encryption process, depending on the requirements that should be fulfilled.

See relevant slides

2. Asymmetric Encryption

Key messages

  • Asymmetric encryption complements rather than replaces the symmetric encryption.

  • Asymmetric encryption solves the encryption/decryption key management problem but is significantly slower as compared to the symmetric encryption.

  • It can be used for protecting data confidentiality, data integrity and entity authentication.

See relevant slides

3. Hash Functions – Digital Signatures

Key messages

  • Hash functions can be used for:

    • verifying the integrity of a “message”

    • creating digital signatures for entity authentication

    • secure processing of users passwords

    • checking/verifying the validity of a file in forensics analysis

  • Digital signatures can be used for verifying the identity of the sender as well as the integrity of the data

See relevant slides

4. PGP – IP SEC - VPN

Key messages

  • The PGP software is a nice option for encrypting files or e-mails

  • IP SEC is a protocol that “forces” security in the Internet Protocol (IP) level. It ensures:

    • Authentication

    • Confidentiality

    • Key management

  • A VPN can provide a safe and encrypted connection over a less secure network, such as the public internet

See relevant slides

5. Anonymization

Key messages

  • Anonymization means that there is no way (implicit or explicit, easy or difficult) to identify a physical person from a data set.

  • “Real” anonymization of a data set is very hard to achieve.

  • Anonymous data are not considered personal data and thus the GDPR is not applicable.

See relevant slides

6. Pseudonymization

Key messages

  • Pseudonymization means the processing of personal data in such a way that the personal data can no longer be attributed to a specific person without the use of additional information (provided that such additional information is kept separately).

  • Personal data which have undergone pseudonymisation should be considered to be information on an identifiable natural person. That is pseudonymization does not result in anonymous data.

  • Pseudonymization is considered an effective way to protect personal data.

  • Various different techniques, each one having advantages and disadvantages, are available for pseudonymizing data according to the stakeholders’ needs.

See relevant slides

General References

  1. “Cryptography and Network Security – Principles and Practice”, W. Stallings, Chapters 1-10

  2. “Handbook of Applied Cryptography”, A. J. Menezes, P. C. Van Oorschot και S. A. Vanstone, CRC Press, 1996 (Available at: http://www.cacr.math.uwaterloo.ca/hac/)

  3. “Encyclopedia of Cryptography and Security”, Van Tilborg (ed.), Springer, 2005 (Available at https://www.rocq.inria.fr/secret/Pascale.Charpin/encyclopedia-tout.pdf )

  4. “Pseudonymization Techniques and Best Practices”, Editors: Athena Bourka (ENISA), Prokopios Drogkaris (ENISA), Ioannis Agrafiotis (ENISA) - Contributors: Meiko Jensen (Kiel University), Cedric Lauradoux (INRIA), Konstantinos Limniotis (HDPA), ENISA, 2019 (Available at https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices )