New HIPAA-era encryption algorithms emerge

January 14, 2002

Solutions are emerging to help the healthcare industry prepare to assure that systems comply with the security requirements of the Health Insurance Portability and Accountability Act. A new free encryption program, called A-Bit-Cypher (ABC), takes any

Solutions are emerging to help the healthcare industry prepare to assure that systems comply with the security requirements of the Health Insurance Portability and Accountability Act.

A new free encryption program, called A-Bit-Cypher (ABC), takes any data file and transforms it to a cyphered form that its IBM author says is "reasonably" unbreakable. Assuming the cyphering key used is available on the other end, ABC takes the cyphered form and exactly reproduces the original file.

ABC uses a method that builds up a cypher (which is a mapping of the bits to a new sequence), then reorders the bit sequence of the data, according to author David Soderlind of IBM Global Services (Australia).

The bit resequencing is done in 1024 byte chunks (1 KB). The number of bit combinations in 1 KB is two to the power of 8192. ABC uses only 10 billion of these possibilities, with each sequence generating a unique mapping. This factor disturbs some experts, who consider this weak among contemporary encryption technologies.

"The size of key is more relevant to public key encryption," Soderlind said.

Given the ABC algorithm, which can be changed, it is difficult to determine which of the 10 billion keys has been used for a given message. It requires testing the message against each key to determine if it may be the original, he said.

"The number of potential mappings for ABC, allowing for changing the mapping function, is 8192 (8192?8191?8190? ...) - a number much larger than two to the 34th power," he said.

ABC can be downloaded free from IBM alphaWorks at http://www.alphaworks.ibm.com/aw.nsf/download/abc, where emerging "alpha code" technologies are available at the earliest stages of development - before they are licensed or integrated into products - allowing users to evaluate and influence IBM research and development.

Those desiring a more elaborate encryption mechanism might consider the Advanced Encryption Standard (AES), blessed in December by U.S. Commerce Secretary Don Evans as the official government encryption tool for protecting sensitive (nonclassified) information.

The National Institute of Standards and Technology, which played a key role in the four-year evaluation of contenders, expects the new standard to be used widely in the private sector as well, to the benefit of all market segments.

AES incorporates the Rijndael (pronounced Rhine-doll) encryption formula, which supports key sizes of 128, 192, and 256 bits. For a 128-bit key size, there are approximately 340 undecillion (340 followed by 436 zeros) possible keys.

Products incorporating AES are expected on the market soon. Meanwhile, the National Institute of Standards will permit vendors to have their AES applications validated under its Cryptographic Module Validation Program.

For more information, see http://www.csrc.nist.gov/cryptval/.