(For example, U.S. social security numbers)

QUESTION: I want to encrypt social security numbers (e.g., to avoid potential security problems with sending data work overseas). However, I still want to maintain the ability to match social security numbers to merge files, run gain/loss analysis, check for duplicate keys, and so forth. Can I do this?

ANSWER: Yes. The Social Security Number Encryption tool (outside of ProVal) can be used to encrypt or decrypt the social security numbers (SSNs) in ProVal databases. This tool gives you the ability to restrict specific ProVal users from seeing the real SSN while retaining the ability to match social security numbers, to, for example, merge files, run a gain/loss analysis, check for duplicate keys, and so forth.

Two files, ENCRYPTLIST.TXT and ENCRYPT.BAT, are required in order to encrypt social security numbers. The file ENCRYPTLIST.TXT contains the list of folders containing ProVal clients whose databases have social security numbers that need to be encrypted, whereas the file ENCRYPT.BAT is a batch file that contains the commands required to perform the encryption. (Note: List the location of the ProVal client, i.e., library files, even if the client’s ProVal databases are stored in a different folder.) As expected, another batch file, DECRYPT.BAT (similar to ENCRYPT.BAT), is required to perform the decryption.

 

To encrypt one or more clients:

1. All three files mentioned above must be in the same folder. Select a suitable folder to store them in – the use of the ProVal working directory (as defined in the ProVal License Server Installation Guide – or see your IT professional), which contains the PROVAL.INI file, is generally recommended.

2. Create the ENCRYPTLIST.TXT file and list the names of client folders in this file, as shown:

3. Create the ENCRYPT.BAT file – decide on a numeric encryption key and then type the following commands into the EXCRYPT.BAT file, as shown:

NOTES:

The right argument to mENCRYPT shown above, 12345, is the user-supplied encryption key. This key is any non-zero number with at least two digits and will be used in the encryption algorithm. The identical key must be used when decrypting; otherwise the decryption will fail. This allows client managers to encrypt their clients with different keys.

The path to provalw.exe must be fully qualified (i.e., identified) in case provalw.exe is not in the folder where the three files are stored (e.g., as in a typical network installation of ProVal).

4. Before the encryption operation starts, ensure that ProVal is not open.

5. Run ENCRYPT.BAT to perform the encryption.

6. The encryption tool logs noteworthy events in a file (that it creates) called ENCRYPTLOG.TXT. It is recommended that this file be reviewed to ensure the success of the encryption operation.

 

To decrypt one or more clients:

1. Create the DECRYPT.BAT file: make a copy of the ENCRYPT.BAT file and call it DECRYPT.BAT. (As previously mentioned, store it in the same folder as ENCRYPT.BAT.) Open DECRYPT.BAT and change the mENCRYPT directive to mDECRYPT, as shown:

2. Follow steps 4-6 above for encrypting, running DECRYPT.BAT.

 

Usage notes:

• Importing data into an encrypted database is not allowed. The database must first be decrypted before data is imported.
• You can tell that a database is encrypted by the suffix “<SSNs encrypted>” that is appended to the current database's name at the bottom of ProVal's main window.

 

Encryption algorithm notes:

• The encryption algorithm takes a SSN and a key and returns a SSN with the same number digits. For example, it might take the SSN 12345 and return 93843 (i.e., still 5 digits). The exact digits, but not the number of them, will vary based on the key provided.
• The key is provided by the user and is an integer value with between 2 and 9 digits, i.e., between 10 and 999,999,999.
• Once encrypted, the SSN appears on file and in ProVal as the encrypted value. Only encrypted SSNs are stored in ProVal databases; the original SSNs aren’t stored anywhere.
• The encryption algorithm was developed by WinTech to satisfy the properties above. We don’t disclose the exact algorithm in the interest of security.