STANDARD FUNCTIONSRandom Bit Generators. Secure Hash Functions.

CONTENTS

1. Random Bit Generators
2. Secure Hash Functions
3. Key Derivation Function
4. Data Sanitization Methods
5. Data Masking
6. Data Random Encryption
7. Data Destruction

RANDOM BIT GENERATORS
NIST Special Publication 800-90A

There are two fundamentally different strategies for generating random bits.

One strategy is to produce bits non-deterministically, where every bit of output is based on a physical process that is unpredictable. This class of random bit generators (RBGs) is commonly known as non-deterministic random bit generators (NRBGs).

The other strategy is to compute bits deterministically using an algorithm. This class of RBGs is known as Deterministic Random Bit Generators (DRBGs).

SECURE HASH FUNCTIONS
Secure Hash Standard (SHS) - FIPS 180-4

Any change to the files or databases will, with a very high probability, result in a different files or data.

This property is useful in the generation and verification of digital signatures, files, data, authentication, and in the generation of random numbers or bits.

Each algorithm can be described in two stages: preprocessing and hash computation.

Preprocessing involves padding the data, parsing the padded the data into m-bit blocks, and setting initialization values to be used in the hash computation.

The hash computation generates a data schedule from the padded data and uses that schedule, along with functions, constants, and word operations to iteratively generate a series of hash values.

The final hash value generated by the hash computation is used to determine the data digest.

The algorithms differ most significantly in the security strengths that are provided for the data being hashed.

Additionally, the algorithms differ in terms of the size of the blocks and words of data that are used during hashing or message digest sizes.

KEY DEVIATION FUNCTIONS NIST SP 800-108

Кey derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cryptographic hash function or block cipher).

KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES.

The original use for a KDF is key derivation, the generation of keys from secret passwords or passphrases.

Variations on this theme include:

• In conjunction with non-secret parameters to derive one or more keys from a common secret value (which is sometimes also referred to as "key diversification"). Such use may prevent an attacker who obtains a derived key from learning useful information about either the input secret value or any of the other derived keys. A KDF may also be used to ensure that derived keys have other desirable properties, such as avoiding "weak keys" in some specific encryption systems.
  
  
• As components of multiparty key-agreement protocols. Examples of such key derivation functions include KDF1, defined in IEEE Std 1363-2000, and similar functions in ANSI X9.42.
  
  
• To derive keys from secret passwords or passphrases (a password-based KDF).
  
  
• To derive keys of different length from the ones provided: one example of KDFs designed for this purpose is HKDF.
  
  

Note: Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.

DATA SANITIZATION METHODS
BS-1493 hybrid technology

Data sanitization involves purposely, permanently deleting, or destroying data from a storage device, to ensure it cannot be recovered.

With sanitization, storage media is cleansed so there is no leftover data on the device, and no data can be recovered, even with advanced forensic tools.

There are four primary methods to achieve data sanitization:

• Data masking;
• Data random encryption or hashing;
• Data destruction;
• Data storage physical destruction.

File Destroyer Manager (FDM) uses both standard and hybrid (as BS-1493 M) technology solutions for data sanitization.

DATA MASCING

Data masking is a widely used technique in compliance strategies and is explicitly required by some compliance standards.

Masking involves creating fake versions of the data, which retain structural properties of the original data (for example, replacing real customer names with other, randomly-selected names).

Masking techniques include character shuffling, word replacement, and randomization. What is common to all these techniques is that the masked version of the data cannot be reverse engineered to obtain the original data values.

Data masking sanitizes data on the device while it is still in use. The key advantages of sanitization compared to other techniques are:

• Quick and easy to implement;
• Complies with most regulations and standards;
• Can be applied on an ongoing basis to existing data;
• Does not require a special sanitization policy for decommissioned devices-unless they contain unmasked data.

DATA RANDOM ENCRYPTION

A hybrid cryptographic method that uses a random configuration of base crypto primitives.

The secret key is generated based on a randomly selected KDF function and is destroyed after the process is completed.

Encryption is a fast and effective way to sanitize storage devices. It is best suited for removable or mobile storage devices, or those that contain highly sensitive information.

File Destroyer Manager (FDM) uses specialized encryption technology that is independent of the hardware and operating system used.

All processes are fully automated and exclude human intervention, which practically reduces the probability of error to a minimum.

DATA DESTRUCTION

This technique uses software to write random 0s and 1s on every sector of the storage equipment, ensuring no previous data is retained.

This is a very reliable form of sanitization because it validates that 100% of the data was replaced, at the byte level. It is also possible to generate auditable reports that prove data has been successfully sanitized.

The advantage of this method compared to physical destruction is that it does not destroy the device and allows it to be sold or reused.

However, the downside of data erasure is that it is a time-consuming process, is difficult to carry out during the lifetime of the device, and requires that each decommissioned device goes through a strict sanitization process.

  Contents