Upcoming SlideShare
×

Encryption Overview

785 views

Published on

0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total views
785
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
50
0
Likes
0
Embeds 0
No embeds

No notes for slide

Encryption Overview

1. 1. Encryption Overview Brad Judy Kerry Havens IT Security Office
2. 2. Outline  Brief history  Concepts and terms  Types of encryption  Products  Scenarios
3. 3. Very brief history Abu Yusuf al-Kindi Diffie-Hellman Frequency analysis Public key crypto 850 CE - Baghdad 1976 CE - USA Julius Ceasar Mary Queen of Scots Substitution cipher Lost her head 45 BCE - Rome 1587 CE – London Enigma Commercial crypto 1923 CE - Germany
4. 4. Secret Decoder Ring Encryption  Word = Haagen Dazs  Key =  Inside B at outside G  Encode inside to outside  Encrypted word = mffljs ifex
5. 5. Secret Decoder Ring Decryption  Encrypted word = mffljs ifex  Key =  Inside B at outside G  Decode outside to inside  Word = Haagen Dazs
6. 6. Basic terms  Primary components of data encryption:  Data (Haagen Dazs)  Encryption algorithm (Caesar cipher - ring)  3DES, AES, RSA, etc  Encryption key (offset – alignment of rings)  Passwords, tokens, special files  Encrypted data (mffljs ifex)
7. 7. Encryption by algebra  Combination 14-32-27  Shortened 143227  Secret number (combination + secret number) = scrambled number  Secret number = 6
8. 8. Encryption by algebra  Combination = 143227  Secret number = 6  Secret number (combination + secret number) = scrambled number  6 (143227 + 6) = scrambled number  6 (143227 + 6) = 859398  859398 is the encrypted combination
9. 9. Decryption by algebra  Scrambled = 859398  Secret number = 6  Secret number (combination + secret number) = scrambled number  6 (combination + 6) = 859398  (combination + 6) = 143233  143227 is the combination
10. 10. Basic terms  Primary components of data encryption:  Data (combination)  Encryption algorithm (equation)  3DES, AES, RSA, etc  Encryption key (secret number)  Passwords, tokens, special files  Encrypted data (scrambled number)
11. 11. One key, two key…  Same key encrypts and decrypts (synchronous)  Classic password key encryption  One key for encrypting, different key for decrypting (asynchronous)  Public-key encryption  Digital signatures (one key signs, one verifies)
12. 12. When to use encryption  If sensitive data and prying eyes may meet  Sensitive data  SSN, PII, financial, medical, passwords, etc  Potential for exposure to prying eyes  Transmission over network  Theft/loss  System hacked  Must give access to an untrusted party
13. 13. More terms  At rest – data is written on a storage device (disk, tape, CD, thumb drive, etc)  In transit – data is being transmitted over a network  “stickiness” – the quality of encryption to stay with a file as it is transferred between disks or computers
14. 14. Where can we encrypt?  Network  Disk  File/folder  E-mail  Database
15. 15. Network encryption  SSL – web (HTTPS) and more  SSH – terminal, files and more  IPSec  Anytraffic, but requires client and server configuration  WPA and WEP  Wireless only, WEP not considered secure
16. 16. Network encryption products  Generally built into OS or application  Hardware acceleration options for SSL and IPSec  Wireless encryption requires hardware support
17. 17. Disk encryption  Encrypt entire contents of disk or volume  Typically requires key at boot  Encryption does not “stick” to files  Boot drive vs non-boot drive  Good for theft/loss, but not hacking
18. 18. Disk encryption products  Some OS integrated options  EFS, Bitlocker  Third-party software  PGP, Utimaco, PointSec, etc  Hardware level disk encryption beginning to show up
19. 19. File/folder encryption  Encrypt individual files or groups of files  Encryption may “stick” to files  Can be difficult to manage with multiple users  Can be good for theft/loss, hacking and untrusted party
20. 20. File/folder encryption products  Some OS integrated options  EFS, FileVault  Third-party software  PGP, Utimaco, etc  Freeware apps (GnuPG, TrueCrypt, etc)
21. 21. E-mail encryption  Encrypt e-mail attachment  Encrypt entire message (cannot encrypt headers)  Recipient must be able to decrypt  Good for transmission over a network
22. 22. E-mail encryption products  Most clients support S/MIME, but it requires issuing certificates  PGP/GNuPG is very popular  See file level encryption products for encrypting attachments
23. 23. Database encryption  Application layer – smart app, but no special DB requirements  Database layer – DB requirements and maybe app requirements  Disk encryption – not useful for most database server attacks
24. 24. Database encryption products  Application layer depends on your app vendor  Database layer  Built-in options  Oracle Advanced Security Option added to CU license  MS SQL 2005 added native encryption feature  Add-on encryption for DB’s
25. 25. Scenarios  Notebook with sensitive information  File server with sensitive information  Sending sensitive e-mails  Web applications collecting information  USB thumbdrives
26. 26. Protecting sensitive information  1 – Get rid of the sensitive information  Remove entire files  Remove sensitive info from files  2 – Move sensitive info offline  3 – Protect sensitive info  Minimum security standards for private info
27. 27. Notebook with sensitive info  Primary threat: theft or loss  Whole disk encryption  Best guarantee of protecting data  File/folder encryption  Can protect data if users encrypt the right files
28. 28. File server with sensitive info  Primary threats: Hack, transmission over network, theft/loss of backups  File/folder encryption – may protect on all counts, but can be complicated with multiple users  Disk encryption – doesn’t protect on any counts
29. 29. Sensitive E-mail  Threats: E-mail intercepted or accidentally CC’ed to wrong people  E-mail encryption: can protect from accidental disclosure  E-mail signing: only ensures validity  File/folder encryption: can protect attachment only
30. 30. Web applications  Threats: sensitive information is intercepted when sent to web server, web server is spoofed/phished  SSL encryption can protect data in transit and (if users are trained) can help them verify it is the real server  Data must then be protected at rest
31. 31. USB thumbdrives  Threats: Theft/loss  Whole disk encryption: Most products support USB drives  File/folder encryption: protects if the right files are encrypted
32. 32. Encryption caveats  Key management  You lose the keys, you lose the data  Key generation, distribution, backup, protection, etc  Impact on system management  Particularly on whole disk encryption  “Stickiness” of encryption or lack thereof  Can confuse users  Can lead to unencrypted sensitive information