Coming October 25: PeerSpot Awards will be announced! Learn more
2017-07-14T07:13:00Z
PeerSpot user
Senior Web Developer at KPMG
  • 20
  • 748

If you had to both encrypt and compress data during transmission, which would you do first and why?

Encrypt means to convert (information or data) into a cipher or code, especially to prevent unauthorized access.

Compression is a reduction in the number of bits needed to represent data.

So the question is, what do we do first? Encrypt or compress during data transmission?

21
PeerSpot user
21 Answers
it_user570081 - PeerSpot reviewer
User at Infosys Technologies Ltd
Real User
2017-07-20T06:45:02Z
20 July 17

First compress and then encrypt.

PeerSpot user
VP of Business Development at a tech services company
Consultant
2017-07-18T19:36:01Z
18 July 17

This question regarding encrypt and compress data, in which order was a good exercise. Other decision factors that you have to include in the decision process are, what are the business requirements, regulatory requirements, compliance requirements, cyber insurance requirements and the most important requirements are where is the data being stored and who will have access to it. Digital certificates, de-crypt keys and tokens have to be managed in a highly controlled environment. OneSignOn experienced a security breach in March 2017 that got to the de-crypt keys. Most likely an inside job. Here is the link to the news article.

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

it_user633780 - PeerSpot reviewer
Engineer with 51-200 employees
User
2017-07-19T15:39:56Z
19 July 17

Compressing data assumes there is a “restoring” at the receiver’s end. Think zip/unzip a file.

If one first compresses then encrypts the file, it would not be able to be restored at the other end.

To me it makes more sense to first encrypt then compress.

Cat Moishanu

PeerSpot user
Security and Risk consultant at a tech services company
Consultant
2017-07-18T23:19:08Z
18 July 17

Encrypt first, then compress.

PeerSpot user
User at a tech services company
Consultant
2017-07-18T18:36:58Z
18 July 17

If original is plain text. I would compress and next encrypt. If original is binary. In which case compression might not reduce size much. Perhaps an extra conversion to Base64 could be added first, next compress and finally encrypt. In this case compression needs to reduce the size to (way) lower than 75 % to compensate for the expansion of the Base64 step, otherwise I wouldn't compress at all. There is a minimum size under which compression isn't feasible at all I guess.

PeerSpot user
Senior Information Security Advisor at a financial services firm
Real User
2017-07-18T18:15:26Z
18 July 17

First, you need to compress the data, and then to encrypt it.
Encryption of data converts the sequence into a unique set of characters, in some cases close to random distribution. Compression the unique set may not give the proper effect and the volume of transmitted data using most of the known algorithms will only be increased. The encryption, after data compression, will reduce the transmitted set.

Find out what your peers are saying about Sonar, Veracode, Snyk and others in Application Security Tools. Updated: August 2022.
633,572 professionals have used our research since 2012.
PeerSpot user
Software Test Manager at a tech vendor with 51-200 employees
Vendor
2017-07-18T17:40:21Z
18 July 17

I would consider the requirements against this data transmission like:
- How data is produced and feeds this process?
- How fast and seamless transition is required?
- What is the maximum acceptable error rate?
- Size, type, structure and number of files in a package?
- Also how data will be used on the other side? E.g. if it is stored in encrypted but uncompressed format I would consider encrypt first despite the above comments.

I would also consider preferences, constraints and bottlenecks (like compressibility of files, amount of data, bandwidth, how secure connection we have, storage capacity, calculation capacity etc.) This could result surprising decisions sometimes like leaving compression out , changing the files' content or structure if possible (e.g. not including some resources in the pdf), etc.

After all the considerations if there are still more options I would plan and execute tests on these possible solutions. The results of the tests would be the base of my final decision.

it_user656115 - PeerSpot reviewer
Digital Security Integration Lead at Nestle
Vendor
2017-07-18T17:27:04Z
18 July 17

Compress and then encrypt.

Robert V. Jones - PeerSpot reviewer
Founder at a tech company with 51-200 employees
Real User
2017-07-18T15:57:33Z
18 July 17

With regard to your question regarding compression and encryption, my response is included below:

"Compression followed by encryption is a practical approach for secure data transmission. Most modern block ciphers/encryption processes will reduce the data to a pseudo-random sequence of bytes that will typically yield little, if any, compression gain at all. Thus if data in encrypted first, compression is ineffective. In addition, the reduced amount of data resulting from compression decreases the computational demand of the subsequent encryption process. On the receiving end, decryption is followed by decompression."

If you have any question, feel free to reach out to me.

Best regards,

Robert

it_user617598 - PeerSpot reviewer
ICT Security Specialist with 1,001-5,000 employees
Vendor
2017-07-18T14:24:43Z
18 July 17

Hi,

There is no difference in the security provided, but because of the way compression algorithms work, it is advisable to compress first then encrypt.
Compression algorithms exploit statistical redundancies in the data. These would normally be eliminated when you encrypt it, therefore an encrypted message won’t be compressed that well.

PeerSpot user
Owner at a comms service provider
Vendor
2017-07-18T14:00:04Z
18 July 17

Compress then encrypt, basically compression reduces the size by removing redundancy and this in turn reduces some vector which can be used for attacks such as frequency analysis and brute force

PeerSpot user
VP of Business Development at a tech services company
Consultant
2017-07-18T13:34:24Z
18 July 17

Compress before you encrypt in most cases. In some cases compression can serve as a form of encryption such as VoIP.

PeerSpot user
Sales Engineering Manager at Hewlett Packard Enterprise
Vendor
2017-07-18T13:31:26Z
18 July 17

My suggestion is to review any solution related to Format Preserving Encryption in order to encrypt and avoid big amounts of data. After this, compression would be optional for you. Check this link: https://en.wikipedia.org/wiki/Format-preserving_encryption

it_user432561 - PeerSpot reviewer
Head of Sales with 1,001-5,000 employees
User
2017-07-18T13:11:11Z
18 July 17

I learned that if you encrypt first you will only have random data, which will limit any potential benefit from compression.

So I would say that compress before encrypt

it_user385950 - PeerSpot reviewer
Manager, Secure Systems Engineering - EISO with 1,001-5,000 employees
Vendor
2017-07-18T13:00:20Z
18 July 17

Compress then encrypt

Real User
2017-07-18T12:53:46Z
18 July 17

Hi,
Compression is based on the frequency of patterns in your data. If you encrypt first most of the patterns will be lost and the compression afterwards will not be efficient. Ex: take a text file, encrypt it then compress it, you will get a lower compression ration than if you compress then encrypt.
Same applies to video and other types of binary data.

PeerSpot user
Project Manager at a tech services company with 1,001-5,000 employees
Consultant
2017-07-18T12:51:37Z
18 July 17

Typically, compression is done as the first step, in order to reduce the size of the data and to reduce the patterns and repetitions that original data could have, leading to a stronger encryption due to reducing some attacks (known plaint text and others). As noted, original data could be compressed better than encrypted one, so the logical steps that perform better are compress and encrypt.

it_user687423 - PeerSpot reviewer
Security Engineer with 1,001-5,000 employees
Vendor
2017-07-18T12:51:29Z
18 July 17

Hello,

You should compress first. If you encrypt first, the file will be incompressible because the compressor won’t know what to look for in the data stream. See this article:

https://security.stackexchange.com/questions/19969/encryption-and-compression-of-data

Chris Konicki
IT Security Engineer

PeerSpot user
Executive Audit Methodology with 1,001-5,000 employees
Real User
2017-07-18T12:49:05Z
18 July 17

I would say you first compress the data, as to reduce the number of bytes that need to be encrypted. Given the fact that encryption is a processor intensive activity...

it_user494973 - PeerSpot reviewer
Software Quality Assurance Engineer at ITONICS GmbH
Real User
2017-07-18T12:49:03Z
18 July 17

My answer would be Compress first because If you encrypt then your data turns into (essentially) a stream of random bits. Random bits are incompressible because compression looks for patterns in the data and a random stream, by definition, has no patterns. Therefore, i believe to compress first.

Thanks,

SHANTHAMURTHY HANUMANTHARAYAPPA - PeerSpot reviewer
Assoc Quality Analyst at OptumServe Technology Services
Real User
2017-07-18T12:41:10Z
18 July 17

My answer would be encrypt first as to protect information in the transit. Compress before encryption or after encryption is same as all depends on the data size.

Related Questions
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Jul 28, 2022
What is CAPTCHA and how does It work? What are the potential use cases of CAPTCHA for AI?
See 1 answer
CL
Managing Partner at ODNA, LLC
28 July 22
CAPTCHA, Completely Automated Public Turing test to tell Computers and Humans Apart, is widely used as a security mechanism to classify human and computer. This security mechanism is based on the Turing Test, which has been conceived to ensure network security.
it_user371577 - PeerSpot reviewer
User at a tech company with 51-200 employees
Jan 23, 2016
We are mainly a VMware customer and for security Tripwire is being recommended. However, upon research I found that VMware has vCenter Configuration Manager and I'm checking to see if that's an alternative. If not vCM, does anyone recommend any other products? How about CIMCOM?Thanks.
2 out of 11 answers
PeerSpot user
Managing Director at a tech services company
18 January 16
You should consider the following vendors:  Tenable AlienVault
PeerSpot user
Chief Marketing Officer at a tech services company with 51-200 employees
18 January 16
Hi, I can't judge about the two solution as my company should be considered a competitor in the Vulnerability Management space. Still, what I'd like to recommend is to verify at least the ability to scan below the virtualization environment. I haven't heard of vCM and Vulnerabiliy Management in conjunction, so the question towards vCM would be about it gets update on Vulnerabilties discovered (ways of testing for them, frequency of updates, high risk vulnerability handling and so on). Generally I'd suggest to consider putting the management of your Vulnerability Scanning solution outside of the virtualized environment and only use virtual sensors in it.
Related Categories
Download Free Report
Download our free Application Security Tools Report and find out what your peers are saying about Sonar, Veracode, Snyk, and more! Updated: August 2022.
DOWNLOAD NOW
633,572 professionals have used our research since 2012.