• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Encryption Overview
 

Encryption Overview

on

  • 746 views

 

Statistics

Views

Total Views
746
Views on SlideShare
746
Embed Views
0

Actions

Likes
0
Downloads
38
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Encryption Overview Encryption Overview Presentation Transcript

    • Encryption Overview Brad Judy Kerry Havens IT Security Office
    • Outline  Brief history  Concepts and terms  Types of encryption  Products  Scenarios
    • Very brief history Abu Yusuf al-Kindi Diffie-Hellman Frequency analysis Public key crypto 850 CE - Baghdad 1976 CE - USA Julius Ceasar Mary Queen of Scots Substitution cipher Lost her head 45 BCE - Rome 1587 CE – London Enigma Commercial crypto 1923 CE - Germany
    • Secret Decoder Ring Encryption  Word = Haagen Dazs  Key =  Inside B at outside G  Encode inside to outside  Encrypted word = mffljs ifex
    • Secret Decoder Ring Decryption  Encrypted word = mffljs ifex  Key =  Inside B at outside G  Decode outside to inside  Word = Haagen Dazs
    • Basic terms  Primary components of data encryption:  Data (Haagen Dazs)  Encryption algorithm (Caesar cipher - ring)  3DES, AES, RSA, etc  Encryption key (offset – alignment of rings)  Passwords, tokens, special files  Encrypted data (mffljs ifex)
    • Encryption by algebra  Combination 14-32-27  Shortened 143227  Secret number (combination + secret number) = scrambled number  Secret number = 6
    • Encryption by algebra  Combination = 143227  Secret number = 6  Secret number (combination + secret number) = scrambled number  6 (143227 + 6) = scrambled number  6 (143227 + 6) = 859398  859398 is the encrypted combination
    • Decryption by algebra  Scrambled = 859398  Secret number = 6  Secret number (combination + secret number) = scrambled number  6 (combination + 6) = 859398  (combination + 6) = 143233  143227 is the combination
    • Basic terms  Primary components of data encryption:  Data (combination)  Encryption algorithm (equation)  3DES, AES, RSA, etc  Encryption key (secret number)  Passwords, tokens, special files  Encrypted data (scrambled number)
    • One key, two key…  Same key encrypts and decrypts (synchronous)  Classic password key encryption  One key for encrypting, different key for decrypting (asynchronous)  Public-key encryption  Digital signatures (one key signs, one verifies)
    • When to use encryption  If sensitive data and prying eyes may meet  Sensitive data  SSN, PII, financial, medical, passwords, etc  Potential for exposure to prying eyes  Transmission over network  Theft/loss  System hacked  Must give access to an untrusted party
    • More terms  At rest – data is written on a storage device (disk, tape, CD, thumb drive, etc)  In transit – data is being transmitted over a network  “stickiness” – the quality of encryption to stay with a file as it is transferred between disks or computers
    • Where can we encrypt?  Network  Disk  File/folder  E-mail  Database
    • Network encryption  SSL – web (HTTPS) and more  SSH – terminal, files and more  IPSec  Anytraffic, but requires client and server configuration  WPA and WEP  Wireless only, WEP not considered secure
    • Network encryption products  Generally built into OS or application  Hardware acceleration options for SSL and IPSec  Wireless encryption requires hardware support
    • Disk encryption  Encrypt entire contents of disk or volume  Typically requires key at boot  Encryption does not “stick” to files  Boot drive vs non-boot drive  Good for theft/loss, but not hacking
    • Disk encryption products  Some OS integrated options  EFS, Bitlocker  Third-party software  PGP, Utimaco, PointSec, etc  Hardware level disk encryption beginning to show up
    • File/folder encryption  Encrypt individual files or groups of files  Encryption may “stick” to files  Can be difficult to manage with multiple users  Can be good for theft/loss, hacking and untrusted party
    • File/folder encryption products  Some OS integrated options  EFS, FileVault  Third-party software  PGP, Utimaco, etc  Freeware apps (GnuPG, TrueCrypt, etc)
    • E-mail encryption  Encrypt e-mail attachment  Encrypt entire message (cannot encrypt headers)  Recipient must be able to decrypt  Good for transmission over a network
    • E-mail encryption products  Most clients support S/MIME, but it requires issuing certificates  PGP/GNuPG is very popular  See file level encryption products for encrypting attachments
    • Database encryption  Application layer – smart app, but no special DB requirements  Database layer – DB requirements and maybe app requirements  Disk encryption – not useful for most database server attacks
    • Database encryption products  Application layer depends on your app vendor  Database layer  Built-in options  Oracle Advanced Security Option added to CU license  MS SQL 2005 added native encryption feature  Add-on encryption for DB’s
    • Scenarios  Notebook with sensitive information  File server with sensitive information  Sending sensitive e-mails  Web applications collecting information  USB thumbdrives
    • Protecting sensitive information  1 – Get rid of the sensitive information  Remove entire files  Remove sensitive info from files  2 – Move sensitive info offline  3 – Protect sensitive info  Minimum security standards for private info
    • Notebook with sensitive info  Primary threat: theft or loss  Whole disk encryption  Best guarantee of protecting data  File/folder encryption  Can protect data if users encrypt the right files
    • File server with sensitive info  Primary threats: Hack, transmission over network, theft/loss of backups  File/folder encryption – may protect on all counts, but can be complicated with multiple users  Disk encryption – doesn’t protect on any counts
    • Sensitive E-mail  Threats: E-mail intercepted or accidentally CC’ed to wrong people  E-mail encryption: can protect from accidental disclosure  E-mail signing: only ensures validity  File/folder encryption: can protect attachment only
    • Web applications  Threats: sensitive information is intercepted when sent to web server, web server is spoofed/phished  SSL encryption can protect data in transit and (if users are trained) can help them verify it is the real server  Data must then be protected at rest
    • USB thumbdrives  Threats: Theft/loss  Whole disk encryption: Most products support USB drives  File/folder encryption: protects if the right files are encrypted
    • Encryption caveats  Key management  You lose the keys, you lose the data  Key generation, distribution, backup, protection, etc  Impact on system management  Particularly on whole disk encryption  “Stickiness” of encryption or lack thereof  Can confuse users  Can lead to unencrypted sensitive information