Re: SSN encryption

From: Andrew Swallow (am.swallow_at_btopenworld.com)
Date: 09/30/05

  • Next message: drfremove_at_nber.org: "Re: SSN encryption" 
    Date: Thu, 29 Sep 2005 22:07:12 +0000 (UTC)

    drfremove@nber.org wrote:
    [snip]

    > Now we have a dataset which is not actually public use, but is used by
    > a dozen or so researchers who have signed confidentiality agreements.
    > So there is no requirement that the SSNs be hidden. However, we have
    > been asked if it wouldn't be possible to conceal the identifiers from
    > the research datasets, as an extra level of protection. That way an
    > accidental release wouldn't be quite so serious, since the intruder
    > would have difficulty finding identifying who any particular record
    > referred to. It seems to be a reasonable request, and several
    > government agencies have published statements that they do this with
    > similar datasets. We are interested in following that lead.

    Assuming the researches are using their own computers and that they will
    never need to work back to the original SSN.
    Generate a secret key variable.

    Copy the database a record at a time.
    Set each name and most of the address field to spaces. (The researches
    may need to know the town or district.)
    Use AES encryption to encrypt all zeros to produce 128 random bits;
    using the secret key variable and an IV equal to the SSN.
    Take the SSN and exclusive (XOR) it with the appropriate number of
    random bits. This is the encrypted SSN, insert the number into SSN
    field of the copied record. Insert both into the encrypted databases.

    If the same key variable is used this method will produce the same
    result each time allowing changes to be detected in say 10 years time.
    Note: There is a possibility that two different records will be given
    the same encrypted number.

    If there may be a need to reverse the encryption, for instance the
    researches may have discovered people will a high probability of illness
    who therefore need a medical inspection.
    Set the SSN field in the copied records to a simple count and keep a
    secret unmodified copy of the database.

    Andrew Swallow

  • Next message: drfremove_at_nber.org: "Re: SSN encryption"

    Relevant Pages

    • Re: SSN encryption
      ... Andrew Swallow wrote: ... > Assuming the researches are using their own computers and that they will ... > Use AES encryption to encrypt all zeros to produce 128 random bits; ... > using the secret key variable and an IV equal to the SSN. ...
      (sci.crypt)
    • Re: SSN encryption
      ... > state of issuance of SSN. ... You're overestimating the ability of encryption to solve the problem. ... > the database, that may be much harder. ... hole will break your security. ...
      (sci.crypt)
    • Re: is there an equivavlent to auto_increment in ingres ?
      ... search requires more than two probes, no matter how large the database. ... the gap in the sequence is not filled in and the sequence ... ssn CHARNOT NULL REFERENCES Personnel, ... vin CHARNOT NULL REFERENCES Motorpool); ...
      (comp.databases.ingres)
    • Re: Table Design Question
      ... no matter how large the database. ... the gap in the sequence is not filled in and the sequence ... ssn CHARNOT NULL REFERENCES Personnel, ... vin CHARNOT NULL REFERENCES Motorpool); ...
      (microsoft.public.sqlserver.programming)
    • Re: MD5 question
      ... I have a database of employee information used at a company I ... > I have a SSN field with of course each employee's SSN. ... > that two different SSN's would generate the same MD5 hash? ...
      (sci.crypt)