0
www.cdovision.com
Moderator: Tony Shaw
CEO, DATAVERSITY
Speaker: Brian Sletten
President
Bosatsu Consulting, Inc.
#CDOVisi...
CDO Agenda
DataSecurityandEncryption
Brian Sletten
! @bsletten
07/01/2014
Speaker Qualifications
Specialize in next-generation technologies
Author of "Resource-Oriented Architecture Patterns for W...
Agenda
Intro
Encryption
The World We Live In
Secure Systems
·
·
·
·
3/55
Intro
Whoever thinks his problem can be solved
using cryptography, doesn't understand his
problem and doesn't understand
cryptog...
CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Scytale)
6/55
Shift Cipher
Et tu, Brute? PLAIN TEXT
Rg gh, Oehgr? CIPHER TEXT (ROT13)
7/55
Shift Cipher
Rg gh, Oehgr? CIPHER TEXT
Et tu, Brute? PLAIN TEXT (ROT 13)
8/55
CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Caesar_cipher)
9/55
Effective Cryptography
Confusion
Diffusion
·
·
10/55
CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Enigma_machine)
11/55
Recent Crypto Developments
1970s: Data Encryption System (DES)
1970s: Diffie-Hellman(-Merkle) Key Exchange
1980s: RSA
1990...
Attacking Cryptography
Cryptanalysis
Social Engineering
Side Channel Attacks
·
·
·
13/55
A cryptosystem should be secure even if the attacker knows all details about the
system, with the exception of the secret ...
Bulletproof SSL and TLS
15/55
Encryption
Understanding Cryptography: A Textbook for Students and Practitioners
17/55
Understanding Cryptography: A Textbook for Students and Practitioners
18/55
http://legacy.kingston.com/secure/XTSmostsecureencryption.asp
19/55
Symmetric Encryption
By Bananenfalter (Own work) [CC0], via Wikimedia Commons
20/55
Data Encryption Standard (DES)
http://en.wikipedia.org/wiki/Feistel_cipher
21/55
22/55
Triple DES
23/55
Advanced Encryption Standard (AES)
24/55
Asymmetric Encryption
By Bananenfalter (Own work) [CC0], via Wikimedia Commons
25/55
Diffie-Helman Key Exchange (DHKE)
First published asymmetric crypto scheme (1976)
Influenced by work of Ralph Merkle
Disco...
http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
27/55
DHKE Uses
SSH
TLS
IPSec
·
·
·
28/55
29/55
30/55
31/55
32/55
33/55
34/55
35/55
Data at Rest and Encryption
Context
Regulatory Compliance
Querying
Key rotation
Archival quality
·
·
·
·
·
36/55
The World We Live In
Known TLS Hacks
BEAST
CRIME
BREACH
Lucky Thirteen
Heartbleed
·
·
·
·
·
38/55
Dual_EC_DRBG
Dual Elliptic Curve Deterministic Random Bit Generator
PRNG algorithm (ISO 18031 and NIST Standard)
In 2007, ...
RdRand
Intel instruction for returning random numbers from on-chip RNG with its own
source of entropy
Compliant with NIST ...
Secure Systems
The main objective of secure system design is to make breaking the system more
costly than the value of the protected asse...
[Security Engineering] is about building
systems to remain dependable in the face of
malice, error, or mischance.
“
”
Ross...
Solutions
Principle of Least Privilege
Defense in Depth
Build Security In
·
·
·
44/55
Security is an emergent property of your
system.
“
”
Gary McGraw
Approach
Risk Management
Touchpoints
Knowledge
·
·
·
46/55
Requirements
and Use
Cases
Architecture
and Design
Test Plans Code
Tests and
Test Results
Feedback
from
Deployed
Systems
E...
Requirements
and Use
Cases
Architecture
and Design
Test Plans Code
Tests and
Test Results
Feedback
from
Deployed
Systems
C...
Books
50/55
51/55
https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
52/55
http://www.crypto-textbook.com
53/55
54/55
Questions?
" brian@bosatsu.net
! @bsletten
+ http://tinyurl.com/bjs-gplus
$ bsletten
Upcoming SlideShare
Loading in...5
×

The CDO Agenda - Data Security and Encryption

434

Published on

If you're not terrified, you're not paying attention.

Every organization in the world, large and small, should be concerned about Data Security. Virtually every week there’s a well-publicized and embarrassing data breach that serves to remind how important it is to protect both customer and enterprise information.

Tools and techniques exist to help, for managing identity, authentication, and authorization. Encryption is also an effective way of making it harder for people to steal your secrets. But it isn't magical, it isn't fool proof and, depending on how you are using it, may be completely useless. You don't have to understand the math (although that will help), but you do have to understand what encryption will and won't do for you.

Data and web security today
Protecting data in transit
Protecting data at rest
What advantage does Encryption provide?
How can you build encrypted data protection into your software and systems?
Are there business trade-offs?
Implications for specific industries (financial, health)

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
434
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "The CDO Agenda - Data Security and Encryption"

  1. 1. www.cdovision.com Moderator: Tony Shaw CEO, DATAVERSITY Speaker: Brian Sletten President Bosatsu Consulting, Inc. #CDOVision Sponsored today by:
  2. 2. CDO Agenda DataSecurityandEncryption Brian Sletten ! @bsletten 07/01/2014
  3. 3. Speaker Qualifications Specialize in next-generation technologies Author of "Resource-Oriented Architecture Patterns for Webs of Data" Speaks internationally about REST, Semantic Web, Security, Visualization, Architecture Worked in Defense, Finance, Retail, Hospitality, Video Game, Health Care and Publishing Industries One of Top 100 Semantic Web People · · · · · 2/55
  4. 4. Agenda Intro Encryption The World We Live In Secure Systems · · · · 3/55
  5. 5. Intro
  6. 6. Whoever thinks his problem can be solved using cryptography, doesn't understand his problem and doesn't understand cryptography. “ ” Roger Needham/Butler Lampson
  7. 7. CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Scytale) 6/55
  8. 8. Shift Cipher Et tu, Brute? PLAIN TEXT Rg gh, Oehgr? CIPHER TEXT (ROT13) 7/55
  9. 9. Shift Cipher Rg gh, Oehgr? CIPHER TEXT Et tu, Brute? PLAIN TEXT (ROT 13) 8/55
  10. 10. CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Caesar_cipher) 9/55
  11. 11. Effective Cryptography Confusion Diffusion · · 10/55
  12. 12. CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Enigma_machine) 11/55
  13. 13. Recent Crypto Developments 1970s: Data Encryption System (DES) 1970s: Diffie-Hellman(-Merkle) Key Exchange 1980s: RSA 1990s: Attacking DES 2000s: Advanced Encryption System (AES) · · · · · 12/55
  14. 14. Attacking Cryptography Cryptanalysis Social Engineering Side Channel Attacks · · · 13/55
  15. 15. A cryptosystem should be secure even if the attacker knows all details about the system, with the exception of the secret key. In particular, the system should be secure when the attacker knows the encryption and decryption algorithms. “ ” Auguste Kerckhoffs (1883)
  16. 16. Bulletproof SSL and TLS 15/55
  17. 17. Encryption
  18. 18. Understanding Cryptography: A Textbook for Students and Practitioners 17/55
  19. 19. Understanding Cryptography: A Textbook for Students and Practitioners 18/55
  20. 20. http://legacy.kingston.com/secure/XTSmostsecureencryption.asp 19/55
  21. 21. Symmetric Encryption By Bananenfalter (Own work) [CC0], via Wikimedia Commons 20/55
  22. 22. Data Encryption Standard (DES) http://en.wikipedia.org/wiki/Feistel_cipher 21/55
  23. 23. 22/55
  24. 24. Triple DES 23/55
  25. 25. Advanced Encryption Standard (AES) 24/55
  26. 26. Asymmetric Encryption By Bananenfalter (Own work) [CC0], via Wikimedia Commons 25/55
  27. 27. Diffie-Helman Key Exchange (DHKE) First published asymmetric crypto scheme (1976) Influenced by work of Ralph Merkle Discovered earlier at GCHQ but was classified Allows derivation of a secret key over public channels Based upon the Discrete Logarithm Problem · · · · · 26/55
  28. 28. http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange 27/55
  29. 29. DHKE Uses SSH TLS IPSec · · · 28/55
  30. 30. 29/55
  31. 31. 30/55
  32. 32. 31/55
  33. 33. 32/55
  34. 34. 33/55
  35. 35. 34/55
  36. 36. 35/55
  37. 37. Data at Rest and Encryption Context Regulatory Compliance Querying Key rotation Archival quality · · · · · 36/55
  38. 38. The World We Live In
  39. 39. Known TLS Hacks BEAST CRIME BREACH Lucky Thirteen Heartbleed · · · · · 38/55
  40. 40. Dual_EC_DRBG Dual Elliptic Curve Deterministic Random Bit Generator PRNG algorithm (ISO 18031 and NIST Standard) In 2007, concern about a backdoor Required for FIPS 140-2 BULLRUN revelations implicated Dual_EC_DRBG NIST recommends against use NSA reportedly paid RSA to make Dual_EC_DRBG default PRNG NSA requested RSA add TLS extension to expose more PRNG data · · · · · · · · 39/55
  41. 41. RdRand Intel instruction for returning random numbers from on-chip RNG with its own source of entropy Compliant with NIST SP 800-90A, FIPS 140-2 and ANSI X9.82 SP 800-90 requires CTR DRBG, Hash DRBG, HMAC DRBG and Dual_EC_DRBG Not pulled from Linux Pulled from FreeBSD · · · · · 40/55
  42. 42. Secure Systems
  43. 43. The main objective of secure system design is to make breaking the system more costly than the value of the protected assets , where the 'cost' should be measured in monetary value but also in more abstract terms such as effort or reputation . “ ” Christof Paar and Jan Pelzl Understanding Cryptography: A Textbook for Students and Practitioners
  44. 44. [Security Engineering] is about building systems to remain dependable in the face of malice, error, or mischance. “ ” Ross J. Anderson Security Engineering
  45. 45. Solutions Principle of Least Privilege Defense in Depth Build Security In · · · 44/55
  46. 46. Security is an emergent property of your system. “ ” Gary McGraw
  47. 47. Approach Risk Management Touchpoints Knowledge · · · 46/55
  48. 48. Requirements and Use Cases Architecture and Design Test Plans Code Tests and Test Results Feedback from Deployed Systems External Review 47/55
  49. 49. Requirements and Use Cases Architecture and Design Test Plans Code Tests and Test Results Feedback from Deployed Systems Code Review Risk Analysis Penetration Testing Security Operations Risk-based Security Tests External Review Risk Analysis Security Requirements Abuse Cases 1 2 2 3 4 5 6 7 48/55
  50. 50. Books
  51. 51. 50/55
  52. 52. 51/55
  53. 53. https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ 52/55
  54. 54. http://www.crypto-textbook.com 53/55
  55. 55. 54/55
  56. 56. Questions? " brian@bosatsu.net ! @bsletten + http://tinyurl.com/bjs-gplus $ bsletten
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×