Encryption Overview

        Brad Judy
       Kerry Havens
    IT Security Office
Outline
 Brief history
 Concepts and terms
 Types of encryption
 Products
 Scenarios
Very brief history

                        Abu Yusuf al-Kindi                 Diffie-Hellman
                        Freq...
Secret Decoder Ring Encryption
             Word = Haagen Dazs
             Key =
                 Inside   B at outsid...
Secret Decoder Ring Decryption
             Encrypted word = mffljs
              ifex
             Key =
              ...
Basic terms
   Primary components of data encryption:
     Data (Haagen Dazs)
     Encryption algorithm (Caesar cipher ...
Encryption by algebra

                        Combination 14-32-27
                        Shortened 143227


   Secre...
Encryption by algebra
   Combination = 143227      Secret number = 6
   Secret number (combination + secret number)
   ...
Decryption by algebra
   Scrambled = 859398      Secret number = 6
   Secret number (combination + secret number)
    =...
Basic terms
   Primary components of data encryption:
     Data (combination)
     Encryption algorithm (equation)
    ...
One key, two key…
   Same key encrypts and decrypts
    (synchronous)
     Classic   password key encryption
   One key...
When to use encryption
 If sensitive data and prying eyes may meet
 Sensitive data
     SSN,   PII, financial, medical,...
More terms
 At rest – data is written on a storage
  device (disk, tape, CD, thumb drive,
  etc)
 In transit – data is b...
Where can we encrypt?
 Network
 Disk
 File/folder
 E-mail
 Database
Network encryption
 SSL – web (HTTPS) and more
 SSH – terminal, files and more
 IPSec
     Anytraffic, but requires cl...
Network encryption products
 Generally built into OS or application
 Hardware acceleration options for SSL
  and IPSec
...
Disk encryption
 Encrypt entire contents of disk or
  volume
 Typically requires key at boot
 Encryption does not “stic...
Disk encryption products
   Some OS integrated options
     EFS,   Bitlocker
   Third-party software
     PGP,   Utima...
File/folder encryption
 Encrypt individual files or groups of
  files
 Encryption may “stick” to files
 Can be difficul...
File/folder encryption products
   Some OS integrated options
     EFS,   FileVault
   Third-party software
     PGP, ...
E-mail encryption
 Encrypt e-mail attachment
 Encrypt entire message (cannot
  encrypt headers)
 Recipient must be able...
E-mail encryption products
 Most clients support S/MIME, but it
  requires issuing certificates
 PGP/GNuPG is very popul...
Database encryption
 Application layer – smart app, but
  no special DB requirements
 Database layer – DB requirements
 ...
Database encryption products
 Application layer depends on your app
  vendor
 Database layer
     Built-in   options
  ...
Scenarios
 Notebook with sensitive information
 File server with sensitive information
 Sending sensitive e-mails
 Web...
Protecting sensitive information
   1 – Get rid of the sensitive information
     Remove entire files
     Remove sensi...
Notebook with sensitive info
 Primary threat: theft or loss
 Whole disk encryption
     Best   guarantee of protecting ...
File server with sensitive info
 Primary threats: Hack, transmission over
  network, theft/loss of backups
 File/folder ...
Sensitive E-mail
 Threats: E-mail intercepted or accidentally
  CC’ed to wrong people
 E-mail encryption: can protect fr...
Web applications
 Threats: sensitive information is
  intercepted when sent to web server, web
  server is spoofed/phishe...
USB thumbdrives
 Threats: Theft/loss
 Whole disk encryption: Most products
  support USB drives
 File/folder encryption...
Encryption caveats
   Key management
     You  lose the keys, you lose the data
     Key generation, distribution, back...
Encryption Overview
Encryption Overview
Upcoming SlideShare
Loading in …5
×

Encryption Overview

785 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
785
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
50
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Encryption Overview

  1. 1. Encryption Overview Brad Judy Kerry Havens IT Security Office
  2. 2. Outline  Brief history  Concepts and terms  Types of encryption  Products  Scenarios
  3. 3. Very brief history Abu Yusuf al-Kindi Diffie-Hellman Frequency analysis Public key crypto 850 CE - Baghdad 1976 CE - USA Julius Ceasar Mary Queen of Scots Substitution cipher Lost her head 45 BCE - Rome 1587 CE – London Enigma Commercial crypto 1923 CE - Germany
  4. 4. Secret Decoder Ring Encryption  Word = Haagen Dazs  Key =  Inside B at outside G  Encode inside to outside  Encrypted word = mffljs ifex
  5. 5. Secret Decoder Ring Decryption  Encrypted word = mffljs ifex  Key =  Inside B at outside G  Decode outside to inside  Word = Haagen Dazs
  6. 6. Basic terms  Primary components of data encryption:  Data (Haagen Dazs)  Encryption algorithm (Caesar cipher - ring)  3DES, AES, RSA, etc  Encryption key (offset – alignment of rings)  Passwords, tokens, special files  Encrypted data (mffljs ifex)
  7. 7. Encryption by algebra  Combination 14-32-27  Shortened 143227  Secret number (combination + secret number) = scrambled number  Secret number = 6
  8. 8. Encryption by algebra  Combination = 143227  Secret number = 6  Secret number (combination + secret number) = scrambled number  6 (143227 + 6) = scrambled number  6 (143227 + 6) = 859398  859398 is the encrypted combination
  9. 9. Decryption by algebra  Scrambled = 859398  Secret number = 6  Secret number (combination + secret number) = scrambled number  6 (combination + 6) = 859398  (combination + 6) = 143233  143227 is the combination
  10. 10. Basic terms  Primary components of data encryption:  Data (combination)  Encryption algorithm (equation)  3DES, AES, RSA, etc  Encryption key (secret number)  Passwords, tokens, special files  Encrypted data (scrambled number)
  11. 11. One key, two key…  Same key encrypts and decrypts (synchronous)  Classic password key encryption  One key for encrypting, different key for decrypting (asynchronous)  Public-key encryption  Digital signatures (one key signs, one verifies)
  12. 12. When to use encryption  If sensitive data and prying eyes may meet  Sensitive data  SSN, PII, financial, medical, passwords, etc  Potential for exposure to prying eyes  Transmission over network  Theft/loss  System hacked  Must give access to an untrusted party
  13. 13. More terms  At rest – data is written on a storage device (disk, tape, CD, thumb drive, etc)  In transit – data is being transmitted over a network  “stickiness” – the quality of encryption to stay with a file as it is transferred between disks or computers
  14. 14. Where can we encrypt?  Network  Disk  File/folder  E-mail  Database
  15. 15. Network encryption  SSL – web (HTTPS) and more  SSH – terminal, files and more  IPSec  Anytraffic, but requires client and server configuration  WPA and WEP  Wireless only, WEP not considered secure
  16. 16. Network encryption products  Generally built into OS or application  Hardware acceleration options for SSL and IPSec  Wireless encryption requires hardware support
  17. 17. Disk encryption  Encrypt entire contents of disk or volume  Typically requires key at boot  Encryption does not “stick” to files  Boot drive vs non-boot drive  Good for theft/loss, but not hacking
  18. 18. Disk encryption products  Some OS integrated options  EFS, Bitlocker  Third-party software  PGP, Utimaco, PointSec, etc  Hardware level disk encryption beginning to show up
  19. 19. File/folder encryption  Encrypt individual files or groups of files  Encryption may “stick” to files  Can be difficult to manage with multiple users  Can be good for theft/loss, hacking and untrusted party
  20. 20. File/folder encryption products  Some OS integrated options  EFS, FileVault  Third-party software  PGP, Utimaco, etc  Freeware apps (GnuPG, TrueCrypt, etc)
  21. 21. E-mail encryption  Encrypt e-mail attachment  Encrypt entire message (cannot encrypt headers)  Recipient must be able to decrypt  Good for transmission over a network
  22. 22. E-mail encryption products  Most clients support S/MIME, but it requires issuing certificates  PGP/GNuPG is very popular  See file level encryption products for encrypting attachments
  23. 23. Database encryption  Application layer – smart app, but no special DB requirements  Database layer – DB requirements and maybe app requirements  Disk encryption – not useful for most database server attacks
  24. 24. Database encryption products  Application layer depends on your app vendor  Database layer  Built-in options  Oracle Advanced Security Option added to CU license  MS SQL 2005 added native encryption feature  Add-on encryption for DB’s
  25. 25. Scenarios  Notebook with sensitive information  File server with sensitive information  Sending sensitive e-mails  Web applications collecting information  USB thumbdrives
  26. 26. Protecting sensitive information  1 – Get rid of the sensitive information  Remove entire files  Remove sensitive info from files  2 – Move sensitive info offline  3 – Protect sensitive info  Minimum security standards for private info
  27. 27. Notebook with sensitive info  Primary threat: theft or loss  Whole disk encryption  Best guarantee of protecting data  File/folder encryption  Can protect data if users encrypt the right files
  28. 28. File server with sensitive info  Primary threats: Hack, transmission over network, theft/loss of backups  File/folder encryption – may protect on all counts, but can be complicated with multiple users  Disk encryption – doesn’t protect on any counts
  29. 29. Sensitive E-mail  Threats: E-mail intercepted or accidentally CC’ed to wrong people  E-mail encryption: can protect from accidental disclosure  E-mail signing: only ensures validity  File/folder encryption: can protect attachment only
  30. 30. Web applications  Threats: sensitive information is intercepted when sent to web server, web server is spoofed/phished  SSL encryption can protect data in transit and (if users are trained) can help them verify it is the real server  Data must then be protected at rest
  31. 31. USB thumbdrives  Threats: Theft/loss  Whole disk encryption: Most products support USB drives  File/folder encryption: protects if the right files are encrypted
  32. 32. Encryption caveats  Key management  You lose the keys, you lose the data  Key generation, distribution, backup, protection, etc  Impact on system management  Particularly on whole disk encryption  “Stickiness” of encryption or lack thereof  Can confuse users  Can lead to unencrypted sensitive information

×