SlideShare a Scribd company logo

Data Security Essentials: Key Concepts and Trends

J
javagroup2006

Data Security Essentials at JavaOne 2013

Software
1 of 52
Data Security Essentials Anirban Mukherjee amukherjee@verisign.com Java One 2013 JavaOne® 2013 24-Sep-2013 Manish Maheshwari mmaheshwari@verisign.com
Speakers Manish Principal Engineer, Verisign Anirban Software Architect, Verisign Verisign Public 2
Motivation • Data Security is vital • Reputation and Trust + Business competitiveness • Data Security ≠ App Security ! • Should App breach necessarily cause Data breach ? • Data may be handled independently of App as well • Cloud Computing broadens the Data Security puzzle • Necessitates clearer appreciation and use of applied Crypto • What Data Security assurances am I getting from the CSP ? • Am I using the CSP’s service options most effectively and in an up-to-date manner ? • I am a CSP myself, and I am using other CSPs … • … But I need to answer my customers on the end-to-end picture Verisign Public 3
Agenda • Basic Cryptographic Concepts and Applications • 1-way hashes and digests • Secure Credential Storage • Symmetric Key Cryptography • Data Confidentiality – in storage and in transit • Asymmetric/Public Key Cryptography • Authentication and Secure Communications • Data Security Considerations for the Cloud • Recent Trends in Cloud Data Security • HSMs for Safe Key Storage • Encryption Gateways into the Cloud Verisign Public 4
Cryptographic Concepts and Applications Verisign Public 5
Basic Conceptual Terms • Security Goals • Authentication, Confidentiality, Non Repudiation, Integrity • Deals with making communications and storage secure • Encryption/Decryption • Encryption: clear-text message to cipher-text • Decryption: cipher-text back to clear-text • Types of encryption algorithms • Symmetric Key • Asymmetric Key Verisign Public 6
Cryptographic Hashes: Overview • Infeasible to reverse • Variable-length input string converted into a short fixed-length binary sequence • Efficient - easy to compute • Infeasible to craft collisions • Small change in input changes the hash significantly Clear Text hello, world MD5 Digest e4d7f1b4ed2e42d1589 8f4b27b019da4 this is clear text that anybody can read easily without key used for encryption 128 bit 58dbbd848ced7f0f68e 280f0de8be1a8 this is a really really long text that we need to digest, so that we can verify the integrity of this data; and verify that bad guys don't temper with this data. We are sending millions of dollars in cash through this data transmission. 128 bit d4b2c6283175852673 5a357831e8f15b hash hash hash 128 bit Note: MD5 is not considered secure today. Only for illustration. Verisign Public 7
Cryptographic Hashes: Security Goal Cryptographic Primitives => Security Goals Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality Trust Verisign Public 8
Cryptographic Hashes: Uses • Used for storage of credentials like passwords • 1-way encryption • Not feasible to compute password from the hash • Not feasible to compute other passwords producing same hash • Also used in • Digital Signatures, Digital Certificates • Non-Crypto Hash: • File integrity checks, Network Protocols clear text hash function hashed 5f4dcc3b5aa765d61d832 7deb882cf99 Verisign Public 9
Cryptographic Hashes: Details • Algorithms • MD5 (128 bits), SHA-1(160 bits), SHA-256 (256 bits), SHA-512 (512 bits) Attack Mitigation • Pre-computed dictionary attacks/ Rainbow attacks • Hash Collision • Use random salts • Use stronger versions e.g. SHA-256 upwards • 2-Factor authentication Verisign Public 10
Cryptographic Hashes: Java MessageDigest md = MessageDigest.getInstance("SHA-256"); md.update("password".getBytes()); md.update(" is 'secret'".getBytes()); byte[] digestBytes = md.digest(); print(toHex(digestBytes); //02de2bef86a1c22c58ebde582fa51e248451403a678f860dc70ab33aeceef922 Verisign Public 11
HMAC: Overview • Keyed Hash • Hash created using the message and the secret key • Secret key is factored in when creating the hash • Described in RFC 2104 • Algorithms • HMAC/SHA-1 • HMAC/SHA-256 Clear Text hello, world HMAC Function HMAC Tag Shared Key secret_key e4d7f1b4ed2e42d1589 8f4b27b019da4 Verisign Public 12
HMAC: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality Trust Verisign Public 13
Symmetric Crypto: Overview Secret Key Cleartext Ciphertext Cleartext Encryption Decryption • Same key is used for encryption and decryption • Parties need a mechanism to exchange the shared key securely • Key must be secret and safely stored Verisign Public 14
Symmetric Crypto: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality Trust Verisign Public 15
Symmetric Crypto: Uses • Vital for secure storage and secure transmission • Prevents attackers from being able to make sense of disk data or network packets accessed illegitimately • Symmetric key ciphers are efficient • Relatively inexpensive to produce a strong key • Smaller keys for the same level of protection • Comparatively inexpensive encryption/decryption Verisign Public 16
Symmetric Crypto: Details • Algorithms • DES, 3DES, AES-x (x=128,192,256), RC4 Attack Mitigation • Cryptanalysis • Key compromise • Block Cipher Mode of Operation – avoid ECB • Larger Keys, Rotate/Rollover keys periodically • Secure Key Storage • Restricted file system/VM, HSM Verisign Public 17
Symmetric Crypto: Java KeyGenerator keyGenerator = KeyGenerator.getInstance("AES"); keyGenerator.init(256); SecretKey secretKey= keyGenerator.generateKey(); byte[] initVector = getRandomIv(); IvParameterSpec ivSpec = new IvParameterSpec(initVector ); Cipher aesCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); aesCipher.init(Cipher.ENCRYPT_MODE, secretKey, ivSpec ); byte[] text = "Sensitive Data".getBytes(); byte[] textEncrypted = aesCipher.doFinal(text); //Receiving end: qesCipher.init(Cipher.DECRYPT_MODE, secretKey, ivSpec); byte[] textDecrypted = aesCipher.doFinal(textEncrypted); Verisign Public 18
Asymmetric Crypto: Overview Public Key Private Key Cleartext Ciphertext Cleartext Encryption Decryption • Public Key is well-known and published to all • Private Key is secret and must be stored safely by owner • Encrypt with one Key, Decrypt with another Key • Infeasible to compute Private Key from Public Key Verisign Public 19
Asymmetric Crypto: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality * Trust * Public key can be used to encrypt data that can only be decrypted using Private key Verisign Public 20
Comparing Crypto Strengths • Smaller Keys are more efficient • Faster generation • Faster encrypt/decrypt • Smaller encrypted output • Longer keys have higher crypto strength • For same algorithm • Symmetric Keys are smaller for same crypto strength Verisign Public 21
Asymmetric Crypto: Overview • Key generation, encryption/decryption are expensive compared to symmetric keys • Used to encrypt small amounts of data, mostly for authentication • Rarely used for encryption of regular data which is voluminous • Private key must be securely stored similar to symmetric keys Verisign Public 22
Asymmetric Crypto: Uses • Secure Communications • Data origin authentication • No interception/diversion aka Man-in-the-middle • Symmetric Key exchange during session establishment • SSL, PGP, SSH • Mechanisms • Digital Signatures • Digital Certificates Verisign Public 23
Asymmetric Crypto: Java KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(2048); KeyPair keyPair= kpg.generateKeyPair(); PublicKey publicKey= keyPair.getPublic(); PrivateKey privateKey= keyPair.getPrivate(); byte[] dataBytes = "Sensitive Data".getBytes(); byte[] encBytes = encrypt(…);//using private key, and tx Verisign Public 24
Digital Signatures: Overview Transmitting Host hashed 5f4dcc3b5aa765d61 d8327deb882cf99 encrypted private key n3eJrIzB3UvIbh01z61 bEPFDpbZXyzvLORB C5spQLI8= Receiving Host hashed 5f4dcc3b5aa765d61 d8327deb882cf99 == 5f4dcc3b5aa765d61 d8327deb882cf99 decrypted public key n3eJrIzB3UvIbh01z61 bEPFDpbZXyzvLORB C5spQLI8= clear text data Insecure Channel encrypted hash • Builds on Hashing and Asymmetric Crypto • Actual data remains in cleartext but signature is attached • Data origin authentication, Data integrity assurance Verisign Public 25
Digital Signatures: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality * Trust * Public key can be used to encrypt data that can only be decrypted using Private key Verisign Public 26
Digital Signatures: Details • Algorithms • RSA/SHA-x, DSA, ECDSA (Elliptic Curve) • Applications • PGP Signed Email, SSL Certificate Signatures, DNSSEC Attack Mitigation • Signature forgery by exploiting weak hash functions • Private key compromise • Strong hashes and strong encryption • Secure private key storage Verisign Public 27
Digital Certificates: Signatures + Chain of Trust • Builds on Digital Signatures and PKI • Certificate is a "Digitally Signed Public Key" • Chain of Trust with Certificate Authorities • DNSSEC also has Chain of Trust but no certs Verisign Public 28
Digital Certificates: Details • Certificate is public and valid for a time interval (typically years) • Certifies that Public Key identifies Subject • DNS hostname, Email address etc. • Affixed with CA signature • Verifier configures Trust Anchor • a node in the Chain of Trust • root always trusted • Root CA is ultimate authority • Self-signed certificate trusted by clients Digital Certificate • Version • Serial Number • Signature Algorithm • Issuer Name • Validity • Not Before Date • Not After Date • Subject Name • Subject Public Key • Algorithm • Key • Extensions • Signature Verisign Public 29
Digital Certificates: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality * Trust * Public key can be used to encrypt data that can only be decrypted using Private key Verisign Public 30
Digital Certificates: Details Attack Mitigation • Private key compromise (anywhere in Trust Chain) • Fraudulent yet cryptographically valid certs, typically via hash collisions • Use reputed CAs • Strong encryption and hash functions • Secure Key Storage • Certificate Revocation Verisign Public 31
Data Security Considerations for the Cloud Verisign Public 32
Cloud Data Security: Context • Data Security is crucial for Enterprises • Data Protection is vital for Reputation • Concerns on Data Security are a deterrent to broader adoption of Cloud Computing • Data moves out of Enterprise boundaries • Trust on Cloud providers • Shared infrastructure • Yet benefits of Cloud Computing are compelling • Need for comprehensive and non-intrusive data security Verisign Public 33
Top Cloud Data Security Issues: Gartner • Breach notification and data residency • Data management at rest • Data protection in motion • Encryption key management • Access controls • Long-term resiliency of the encryption system Verisign Public 34
Cloud Data Security: Who is responsible ? “Encryption of sensitive data is generally a good security practice, and AWS encourages you to encrypt your sensitive data via an algorithm consistent with your applicable security policy.” – Amazon Web Services: Overview of Security Processes • Who is responsible for the overall security ? • Different levels of providers • Shared infrastructure can make extent of breach higher • APIs allow many admin functions to be carried out • Malicious entities can look for weaknesses in the API • Can gain broad access to shared infrastructure Verisign Public 35
Cloud Data Security: Encryption Layers • Different Layers of Encryption • Block Storage / Disks • Filesystems • Databases • Applications Applications Databases Filesystems Disks • Higher-level encryption can protect better but is harder • Key question: Who has the key(s) ? • They have access • Disks encrypted by provider • Provider can see disk content • Filesystems encrypted by provider • Provider can see file content • … and so on Verisign Public 36
Cloud Data Security: Broad Concerns • Is server based encryption sufficient ? • Encryption Gateways on the client/enterprise side • How secure are the encryption keys ? • Stored in the Cloud - Secured VM, HSM • Stored by Client/enterprise (Encryption Gateways) Verisign Public 37
1-way Hashes: Upshot for Cloud • If your cloud provider is able to send you your password for Forgot Password, … • Apps hosted by you on provider’s infra should use 1- way hashes with salt for storing passwords in the database Verisign Public 38
Symmetric Crypto: Upshot for Cloud • Secure way to store uploaded data, sensitive personal information in databases, VM images, emails etc. • Cloud service provider • What is encrypted and using what mechanism? • How and where are secret keys stored ? Are they rotated ? • Is there a way that only I can use the secret key without the provider having access to it ? • Apps provided by you • Are you encrypting sensitive data stored in databases, Text Search indexes etc. • How secure is your secret key ? Verisign Public 39
Asymmetric Crypto: Upshot for Cloud • Cloud Service Provider • Are they using valid non-expired SSL certificates and strong encryption ? • Server certs and client certs (if applicable) • Are their domains DNSSEC enabled ? • Protection against DNS Cache Poisoning Attacks • Do they renew certificates and roll over DNSSEC keys ? • Apps provided by you • Is HTTPS used for all confidential exchanges ? • Are signed emails used especially for input emails that trigger workflow actions ? • Is certificate-based client authentication implemented properly ? Verisign Public 40
Recent Trends in Cloud Data Security Verisign Public 41
Hardware Security Modules • Secure and tamper-resistant storage for high-value keys • Traditionally used for CAs, DNSSEC signers • Now being considered for more uses in the Cloud • Very difficult to access/steal keys from the device • Various FIPS levels • May Respond to tamper attempts • Highly secure ones can self-destruct keys • Often JCE KeyStore provider is supplied by vendor • Can use JCE KeyStore abstraction directly from Java apps • If not, need to use a JCE PKCS#11 Provider • Uses JNI to invoke the native PKCS#11 API libraries Verisign Public 42
Hardware Security Modules • Key stays within the HSM • Cryptographic operations occur within the hardware • signing • encryption/decryption • Cryptographic black box • input data goes in • cryptographically transformed data comes out Storage Creation Destruction Usage Distribution Verisign Public 43
Cloud Encryption Gateways SaaS PaaS IaaS Encryption Gateway SaaS forms PaaS API Cloud DB JDBC • Intercept and transform sensitive data before it goes out • Replace it with a random token or strongly encrypted value • Must be of same size and type, else things will break • Do reverse operation for data coming back into premises • Real-time crypto operation on every request/response Verisign Public 44
Cloud Encryption Gateways • Enterprise owns encryption key or token vault • Data stored in Cloud provider’s datastores is mangled • Data stores include databases, Text Search indexes • Sensitive data not compromised • Field-based operation • Can specify the sensitive fields • Only those will be transformed • Cloud platform aware • Gateway needs to do transformations specific to the SaaS, PaaS involved in the interaction • Not platform-agnostic Verisign Public 45
Cloud Encryption Gateways – Format Preservation • Format preserving encryption • Usually encryption produces longer ciphertext than plain-text • logical data type may change too • e.g. 1234567812345670 (16 digit number) -> lqRcvPnCqUJc3p4nSUjLZw==, (24 char base64 encoded string) • Size and datatype mismatch in transformation will break things • Database column type and length • Application data types and length • Ciphertext is in same format (type and length) as input plaintext • Input: 10 digit numeric id, Output: a different 10 digit numeric id • Input: 30 character address, Output: 30 character mangled string Verisign Public 46
Cloud Encryption Gateways – Function Preservation • Function preserving encryption • Just format preservation may not be sufficient • What about • Wildcard matches • Sort orders • Need encryption/tokenization that is order-preserving • More generally function-preserving • Solutions implementing such encryption are now available • Possibility of reduced encryption strength • Not yet clear if strength is within acceptable limits Verisign Public 47
Fully Homomorphic Encryption: Active research area • Servers process data without decrypting and return (still-encrypted) results • Encryption + decryption only at client end • only client has keys • Data is stored in encrypted form as sent by client • No encryption or decryption done by server • Server operates in ciphertext space itself • Server does not see any plaintext query or plaintext results • General operations are theoretically possible • Currently not practically efficient • But major breakthroughs in the last few years Verisign Public 48
Conventional vs Fully Homomorphic Encryption Server Processing Logic Decrypt Encrypt Encrypt Decrypt Client Server Processing Logic Encrypt Decrypt Client Verisign Public 49
Conclusion • Many pieces to the Cloud Data Security puzzle • Innovative solutions are emerging based on well-proven (and also a few not-so-well-proven !) building blocks • Comprehensive approaches involving all parties are the need • News of breaches causes discomfort • It may take a while before comfort levels are reached Verisign Public 50
References • NIST Special Publication 800-57 Recommendation for KeyManagement – Part 1: General (Revision 3) • MD5 considered harmful today: Creating a Rogue CA Certificate • Six security issues to tackle before encrypting cloud data http://www.computerweekly.com/news/2240180087/Six-security- issues-to-tackle-before-encrypting-cloud-data Verisign Public 51
Thank You © 2013 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Oracle and Java are registered trademarks of Oracle and/or its affiliates.

Recommended

Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
SSL Primer
SSL PrimerSSL Primer
SSL PrimerMahadev Gaonkar
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]SISA Information Security Pvt.Ltd
 
OpenSSL
OpenSSLOpenSSL
OpenSSLTimbal Mayank
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 

Recommended

Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
SSL Primer
SSL PrimerSSL Primer
SSL PrimerMahadev Gaonkar
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]SISA Information Security Pvt.Ltd
 
OpenSSL
OpenSSLOpenSSL
OpenSSLTimbal Mayank
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting DataRed Gate Software
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network securitybabak danyal
 
Key Management and Distribution
Key Management and DistributionKey Management and Distribution
Key Management and DistributionSyed Bahadur Shah
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
muCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosmuCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosOpenCredo
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...PROIDEA
 
Cryptography
CryptographyCryptography
Cryptographysuresh0506
 
key management
key management key management
key managementVIRAJRATHOD8
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattOpenCredo
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Cryptography
CryptographyCryptography
CryptographyTêjäçhoudhary Maddineni
 
Cryptography
CryptographyCryptography
CryptographyPragun Shah
 
Bruno Lowagie (iText) #cfoconferenz
Bruno Lowagie (iText) #cfoconferenzBruno Lowagie (iText) #cfoconferenz
Bruno Lowagie (iText) #cfoconferenzFDMagazine
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authenticationMohammed Adam
 

More Related Content

What's hot

Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting DataRed Gate Software
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network securitybabak danyal
 
Key Management and Distribution
Key Management and DistributionKey Management and Distribution
Key Management and DistributionSyed Bahadur Shah
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
muCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosmuCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosOpenCredo
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...PROIDEA
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattOpenCredo
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Bruno Lowagie (iText) #cfoconferenz
Bruno Lowagie (iText) #cfoconferenzBruno Lowagie (iText) #cfoconferenz
Bruno Lowagie (iText) #cfoconferenzFDMagazine
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 

What's hot (20)

Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting Data
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
 
Key Management and Distribution
Key Management and DistributionKey Management and Distribution
Key Management and Distribution
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David Borsos
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
 
muCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosmuCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David Borsos
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewed
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
 
Cryptography
CryptographyCryptography
Cryptography
 
key management
key management key management
key management
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Bruno Lowagie (iText) #cfoconferenz
Bruno Lowagie (iText) #cfoconferenzBruno Lowagie (iText) #cfoconferenz
Bruno Lowagie (iText) #cfoconferenz
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxying
 

Similar to Data Security Essentials: Key Concepts and Trends

Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authenticationMohammed Adam
 
Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniquesMohitManna
 
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdfAn Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdfKailasS9
 
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptxUNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptxssuserd5e356
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!OWASP
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Michel Schudel
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
SafeNet Enterprise Key and Crypto Management
SafeNet Enterprise Key and Crypto ManagementSafeNet Enterprise Key and Crypto Management
SafeNet Enterprise Key and Crypto ManagementSectricity
 
Cisco cybersecurity essentials chapter -5
Cisco cybersecurity essentials chapter -5Cisco cybersecurity essentials chapter -5
Cisco cybersecurity essentials chapter -5Mukesh Chinta
 
Cyptography and network security unit 3-1
Cyptography and network security unit 3-1Cyptography and network security unit 3-1
Cyptography and network security unit 3-1AsrithaKorupolu
 
comp security lab.ppsx
comp security lab.ppsxcomp security lab.ppsx
comp security lab.ppsxDesuWajana
 
Encryption Techniques
Encryption TechniquesEncryption Techniques
Encryption TechniquesDel Elson
 

Similar to Data Security Essentials: Key Concepts and Trends (20)

Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authentication
 
Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniques
 
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdfAn Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
 
Crypography in c#
Crypography in c#Crypography in c#
Crypography in c#
 
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptxUNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
 
Encryption in Cryptography
Encryption in CryptographyEncryption in Cryptography
Encryption in Cryptography
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
Wi-Fi Security Fundamentals
Wi-Fi Security FundamentalsWi-Fi Security Fundamentals
Wi-Fi Security Fundamentals
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Wireless LAN Security Fundamentals
Wireless LAN Security FundamentalsWireless LAN Security Fundamentals
Wireless LAN Security Fundamentals
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
SafeNet Enterprise Key and Crypto Management
SafeNet Enterprise Key and Crypto ManagementSafeNet Enterprise Key and Crypto Management
SafeNet Enterprise Key and Crypto Management
 
Cisco cybersecurity essentials chapter -5
Cisco cybersecurity essentials chapter -5Cisco cybersecurity essentials chapter -5
Cisco cybersecurity essentials chapter -5
 
Cyptography and network security unit 3-1
Cyptography and network security unit 3-1Cyptography and network security unit 3-1
Cyptography and network security unit 3-1
 
comp security lab.ppsx
comp security lab.ppsxcomp security lab.ppsx
comp security lab.ppsx
 
Encryption Techniques
Encryption TechniquesEncryption Techniques
Encryption Techniques
 

Recently uploaded

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 

Recently uploaded (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 

Data Security Essentials: Key Concepts and Trends

  • 1. Data Security Essentials Anirban Mukherjee amukherjee@verisign.com Java One 2013 JavaOne® 2013 24-Sep-2013 Manish Maheshwari mmaheshwari@verisign.com
  • 2. Speakers Manish Principal Engineer, Verisign Anirban Software Architect, Verisign Verisign Public 2
  • 3. Motivation • Data Security is vital • Reputation and Trust + Business competitiveness • Data Security ≠ App Security ! • Should App breach necessarily cause Data breach ? • Data may be handled independently of App as well • Cloud Computing broadens the Data Security puzzle • Necessitates clearer appreciation and use of applied Crypto • What Data Security assurances am I getting from the CSP ? • Am I using the CSP’s service options most effectively and in an up-to-date manner ? • I am a CSP myself, and I am using other CSPs … • … But I need to answer my customers on the end-to-end picture Verisign Public 3
  • 4. Agenda • Basic Cryptographic Concepts and Applications • 1-way hashes and digests • Secure Credential Storage • Symmetric Key Cryptography • Data Confidentiality – in storage and in transit • Asymmetric/Public Key Cryptography • Authentication and Secure Communications • Data Security Considerations for the Cloud • Recent Trends in Cloud Data Security • HSMs for Safe Key Storage • Encryption Gateways into the Cloud Verisign Public 4
  • 5. Cryptographic Concepts and Applications Verisign Public 5
  • 6. Basic Conceptual Terms • Security Goals • Authentication, Confidentiality, Non Repudiation, Integrity • Deals with making communications and storage secure • Encryption/Decryption • Encryption: clear-text message to cipher-text • Decryption: cipher-text back to clear-text • Types of encryption algorithms • Symmetric Key • Asymmetric Key Verisign Public 6
  • 7. Cryptographic Hashes: Overview • Infeasible to reverse • Variable-length input string converted into a short fixed-length binary sequence • Efficient - easy to compute • Infeasible to craft collisions • Small change in input changes the hash significantly Clear Text hello, world MD5 Digest e4d7f1b4ed2e42d1589 8f4b27b019da4 this is clear text that anybody can read easily without key used for encryption 128 bit 58dbbd848ced7f0f68e 280f0de8be1a8 this is a really really long text that we need to digest, so that we can verify the integrity of this data; and verify that bad guys don't temper with this data. We are sending millions of dollars in cash through this data transmission. 128 bit d4b2c6283175852673 5a357831e8f15b hash hash hash 128 bit Note: MD5 is not considered secure today. Only for illustration. Verisign Public 7
  • 8. Cryptographic Hashes: Security Goal Cryptographic Primitives => Security Goals Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality Trust Verisign Public 8
  • 9. Cryptographic Hashes: Uses • Used for storage of credentials like passwords • 1-way encryption • Not feasible to compute password from the hash • Not feasible to compute other passwords producing same hash • Also used in • Digital Signatures, Digital Certificates • Non-Crypto Hash: • File integrity checks, Network Protocols clear text hash function hashed 5f4dcc3b5aa765d61d832 7deb882cf99 Verisign Public 9
  • 10. Cryptographic Hashes: Details • Algorithms • MD5 (128 bits), SHA-1(160 bits), SHA-256 (256 bits), SHA-512 (512 bits) Attack Mitigation • Pre-computed dictionary attacks/ Rainbow attacks • Hash Collision • Use random salts • Use stronger versions e.g. SHA-256 upwards • 2-Factor authentication Verisign Public 10
  • 11. Cryptographic Hashes: Java MessageDigest md = MessageDigest.getInstance("SHA-256"); md.update("password".getBytes()); md.update(" is 'secret'".getBytes()); byte[] digestBytes = md.digest(); print(toHex(digestBytes); //02de2bef86a1c22c58ebde582fa51e248451403a678f860dc70ab33aeceef922 Verisign Public 11
  • 12. HMAC: Overview • Keyed Hash • Hash created using the message and the secret key • Secret key is factored in when creating the hash • Described in RFC 2104 • Algorithms • HMAC/SHA-1 • HMAC/SHA-256 Clear Text hello, world HMAC Function HMAC Tag Shared Key secret_key e4d7f1b4ed2e42d1589 8f4b27b019da4 Verisign Public 12
  • 13. HMAC: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality Trust Verisign Public 13
  • 14. Symmetric Crypto: Overview Secret Key Cleartext Ciphertext Cleartext Encryption Decryption • Same key is used for encryption and decryption • Parties need a mechanism to exchange the shared key securely • Key must be secret and safely stored Verisign Public 14
  • 15. Symmetric Crypto: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality Trust Verisign Public 15
  • 16. Symmetric Crypto: Uses • Vital for secure storage and secure transmission • Prevents attackers from being able to make sense of disk data or network packets accessed illegitimately • Symmetric key ciphers are efficient • Relatively inexpensive to produce a strong key • Smaller keys for the same level of protection • Comparatively inexpensive encryption/decryption Verisign Public 16
  • 17. Symmetric Crypto: Details • Algorithms • DES, 3DES, AES-x (x=128,192,256), RC4 Attack Mitigation • Cryptanalysis • Key compromise • Block Cipher Mode of Operation – avoid ECB • Larger Keys, Rotate/Rollover keys periodically • Secure Key Storage • Restricted file system/VM, HSM Verisign Public 17
  • 18. Symmetric Crypto: Java KeyGenerator keyGenerator = KeyGenerator.getInstance("AES"); keyGenerator.init(256); SecretKey secretKey= keyGenerator.generateKey(); byte[] initVector = getRandomIv(); IvParameterSpec ivSpec = new IvParameterSpec(initVector ); Cipher aesCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); aesCipher.init(Cipher.ENCRYPT_MODE, secretKey, ivSpec ); byte[] text = "Sensitive Data".getBytes(); byte[] textEncrypted = aesCipher.doFinal(text); //Receiving end: qesCipher.init(Cipher.DECRYPT_MODE, secretKey, ivSpec); byte[] textDecrypted = aesCipher.doFinal(textEncrypted); Verisign Public 18
  • 19. Asymmetric Crypto: Overview Public Key Private Key Cleartext Ciphertext Cleartext Encryption Decryption • Public Key is well-known and published to all • Private Key is secret and must be stored safely by owner • Encrypt with one Key, Decrypt with another Key • Infeasible to compute Private Key from Public Key Verisign Public 19
  • 20. Asymmetric Crypto: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality * Trust * Public key can be used to encrypt data that can only be decrypted using Private key Verisign Public 20
  • 21. Comparing Crypto Strengths • Smaller Keys are more efficient • Faster generation • Faster encrypt/decrypt • Smaller encrypted output • Longer keys have higher crypto strength • For same algorithm • Symmetric Keys are smaller for same crypto strength Verisign Public 21
  • 22. Asymmetric Crypto: Overview • Key generation, encryption/decryption are expensive compared to symmetric keys • Used to encrypt small amounts of data, mostly for authentication • Rarely used for encryption of regular data which is voluminous • Private key must be securely stored similar to symmetric keys Verisign Public 22
  • 23. Asymmetric Crypto: Uses • Secure Communications • Data origin authentication • No interception/diversion aka Man-in-the-middle • Symmetric Key exchange during session establishment • SSL, PGP, SSH • Mechanisms • Digital Signatures • Digital Certificates Verisign Public 23
  • 24. Asymmetric Crypto: Java KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(2048); KeyPair keyPair= kpg.generateKeyPair(); PublicKey publicKey= keyPair.getPublic(); PrivateKey privateKey= keyPair.getPrivate(); byte[] dataBytes = "Sensitive Data".getBytes(); byte[] encBytes = encrypt(…);//using private key, and tx Verisign Public 24
  • 25. Digital Signatures: Overview Transmitting Host hashed 5f4dcc3b5aa765d61 d8327deb882cf99 encrypted private key n3eJrIzB3UvIbh01z61 bEPFDpbZXyzvLORB C5spQLI8= Receiving Host hashed 5f4dcc3b5aa765d61 d8327deb882cf99 == 5f4dcc3b5aa765d61 d8327deb882cf99 decrypted public key n3eJrIzB3UvIbh01z61 bEPFDpbZXyzvLORB C5spQLI8= clear text data Insecure Channel encrypted hash • Builds on Hashing and Asymmetric Crypto • Actual data remains in cleartext but signature is attached • Data origin authentication, Data integrity assurance Verisign Public 25
  • 26. Digital Signatures: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality * Trust * Public key can be used to encrypt data that can only be decrypted using Private key Verisign Public 26
  • 27. Digital Signatures: Details • Algorithms • RSA/SHA-x, DSA, ECDSA (Elliptic Curve) • Applications • PGP Signed Email, SSL Certificate Signatures, DNSSEC Attack Mitigation • Signature forgery by exploiting weak hash functions • Private key compromise • Strong hashes and strong encryption • Secure private key storage Verisign Public 27
  • 28. Digital Certificates: Signatures + Chain of Trust • Builds on Digital Signatures and PKI • Certificate is a "Digitally Signed Public Key" • Chain of Trust with Certificate Authorities • DNSSEC also has Chain of Trust but no certs Verisign Public 28
  • 29. Digital Certificates: Details • Certificate is public and valid for a time interval (typically years) • Certifies that Public Key identifies Subject • DNS hostname, Email address etc. • Affixed with CA signature • Verifier configures Trust Anchor • a node in the Chain of Trust • root always trusted • Root CA is ultimate authority • Self-signed certificate trusted by clients Digital Certificate • Version • Serial Number • Signature Algorithm • Issuer Name • Validity • Not Before Date • Not After Date • Subject Name • Subject Public Key • Algorithm • Key • Extensions • Signature Verisign Public 29
  • 30. Digital Certificates: Security Goal Cryptographic Primitives => Security Goals Hash Salted Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-Repudiation Confidentiality * Trust * Public key can be used to encrypt data that can only be decrypted using Private key Verisign Public 30
  • 31. Digital Certificates: Details Attack Mitigation • Private key compromise (anywhere in Trust Chain) • Fraudulent yet cryptographically valid certs, typically via hash collisions • Use reputed CAs • Strong encryption and hash functions • Secure Key Storage • Certificate Revocation Verisign Public 31
  • 32. Data Security Considerations for the Cloud Verisign Public 32
  • 33. Cloud Data Security: Context • Data Security is crucial for Enterprises • Data Protection is vital for Reputation • Concerns on Data Security are a deterrent to broader adoption of Cloud Computing • Data moves out of Enterprise boundaries • Trust on Cloud providers • Shared infrastructure • Yet benefits of Cloud Computing are compelling • Need for comprehensive and non-intrusive data security Verisign Public 33
  • 34. Top Cloud Data Security Issues: Gartner • Breach notification and data residency • Data management at rest • Data protection in motion • Encryption key management • Access controls • Long-term resiliency of the encryption system Verisign Public 34
  • 35. Cloud Data Security: Who is responsible ? “Encryption of sensitive data is generally a good security practice, and AWS encourages you to encrypt your sensitive data via an algorithm consistent with your applicable security policy.” – Amazon Web Services: Overview of Security Processes • Who is responsible for the overall security ? • Different levels of providers • Shared infrastructure can make extent of breach higher • APIs allow many admin functions to be carried out • Malicious entities can look for weaknesses in the API • Can gain broad access to shared infrastructure Verisign Public 35
  • 36. Cloud Data Security: Encryption Layers • Different Layers of Encryption • Block Storage / Disks • Filesystems • Databases • Applications Applications Databases Filesystems Disks • Higher-level encryption can protect better but is harder • Key question: Who has the key(s) ? • They have access • Disks encrypted by provider • Provider can see disk content • Filesystems encrypted by provider • Provider can see file content • … and so on Verisign Public 36
  • 37. Cloud Data Security: Broad Concerns • Is server based encryption sufficient ? • Encryption Gateways on the client/enterprise side • How secure are the encryption keys ? • Stored in the Cloud - Secured VM, HSM • Stored by Client/enterprise (Encryption Gateways) Verisign Public 37
  • 38. 1-way Hashes: Upshot for Cloud • If your cloud provider is able to send you your password for Forgot Password, … • Apps hosted by you on provider’s infra should use 1- way hashes with salt for storing passwords in the database Verisign Public 38
  • 39. Symmetric Crypto: Upshot for Cloud • Secure way to store uploaded data, sensitive personal information in databases, VM images, emails etc. • Cloud service provider • What is encrypted and using what mechanism? • How and where are secret keys stored ? Are they rotated ? • Is there a way that only I can use the secret key without the provider having access to it ? • Apps provided by you • Are you encrypting sensitive data stored in databases, Text Search indexes etc. • How secure is your secret key ? Verisign Public 39
  • 40. Asymmetric Crypto: Upshot for Cloud • Cloud Service Provider • Are they using valid non-expired SSL certificates and strong encryption ? • Server certs and client certs (if applicable) • Are their domains DNSSEC enabled ? • Protection against DNS Cache Poisoning Attacks • Do they renew certificates and roll over DNSSEC keys ? • Apps provided by you • Is HTTPS used for all confidential exchanges ? • Are signed emails used especially for input emails that trigger workflow actions ? • Is certificate-based client authentication implemented properly ? Verisign Public 40
  • 41. Recent Trends in Cloud Data Security Verisign Public 41
  • 42. Hardware Security Modules • Secure and tamper-resistant storage for high-value keys • Traditionally used for CAs, DNSSEC signers • Now being considered for more uses in the Cloud • Very difficult to access/steal keys from the device • Various FIPS levels • May Respond to tamper attempts • Highly secure ones can self-destruct keys • Often JCE KeyStore provider is supplied by vendor • Can use JCE KeyStore abstraction directly from Java apps • If not, need to use a JCE PKCS#11 Provider • Uses JNI to invoke the native PKCS#11 API libraries Verisign Public 42
  • 43. Hardware Security Modules • Key stays within the HSM • Cryptographic operations occur within the hardware • signing • encryption/decryption • Cryptographic black box • input data goes in • cryptographically transformed data comes out Storage Creation Destruction Usage Distribution Verisign Public 43
  • 44. Cloud Encryption Gateways SaaS PaaS IaaS Encryption Gateway SaaS forms PaaS API Cloud DB JDBC • Intercept and transform sensitive data before it goes out • Replace it with a random token or strongly encrypted value • Must be of same size and type, else things will break • Do reverse operation for data coming back into premises • Real-time crypto operation on every request/response Verisign Public 44
  • 45. Cloud Encryption Gateways • Enterprise owns encryption key or token vault • Data stored in Cloud provider’s datastores is mangled • Data stores include databases, Text Search indexes • Sensitive data not compromised • Field-based operation • Can specify the sensitive fields • Only those will be transformed • Cloud platform aware • Gateway needs to do transformations specific to the SaaS, PaaS involved in the interaction • Not platform-agnostic Verisign Public 45
  • 46. Cloud Encryption Gateways – Format Preservation • Format preserving encryption • Usually encryption produces longer ciphertext than plain-text • logical data type may change too • e.g. 1234567812345670 (16 digit number) -> lqRcvPnCqUJc3p4nSUjLZw==, (24 char base64 encoded string) • Size and datatype mismatch in transformation will break things • Database column type and length • Application data types and length • Ciphertext is in same format (type and length) as input plaintext • Input: 10 digit numeric id, Output: a different 10 digit numeric id • Input: 30 character address, Output: 30 character mangled string Verisign Public 46
  • 47. Cloud Encryption Gateways – Function Preservation • Function preserving encryption • Just format preservation may not be sufficient • What about • Wildcard matches • Sort orders • Need encryption/tokenization that is order-preserving • More generally function-preserving • Solutions implementing such encryption are now available • Possibility of reduced encryption strength • Not yet clear if strength is within acceptable limits Verisign Public 47
  • 48. Fully Homomorphic Encryption: Active research area • Servers process data without decrypting and return (still-encrypted) results • Encryption + decryption only at client end • only client has keys • Data is stored in encrypted form as sent by client • No encryption or decryption done by server • Server operates in ciphertext space itself • Server does not see any plaintext query or plaintext results • General operations are theoretically possible • Currently not practically efficient • But major breakthroughs in the last few years Verisign Public 48
  • 49. Conventional vs Fully Homomorphic Encryption Server Processing Logic Decrypt Encrypt Encrypt Decrypt Client Server Processing Logic Encrypt Decrypt Client Verisign Public 49
  • 50. Conclusion • Many pieces to the Cloud Data Security puzzle • Innovative solutions are emerging based on well-proven (and also a few not-so-well-proven !) building blocks • Comprehensive approaches involving all parties are the need • News of breaches causes discomfort • It may take a while before comfort levels are reached Verisign Public 50
  • 51. References • NIST Special Publication 800-57 Recommendation for KeyManagement – Part 1: General (Revision 3) • MD5 considered harmful today: Creating a Rogue CA Certificate • Six security issues to tackle before encrypting cloud data http://www.computerweekly.com/news/2240180087/Six-security- issues-to-tackle-before-encrypting-cloud-data Verisign Public 51
  • 52. Thank You © 2013 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Oracle and Java are registered trademarks of Oracle and/or its affiliates.