Why Information Is Important?

11,970 views
11,651 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
11,970
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Why Information Is Important?

  1. 1. White Paper on Significance of Data Encryption i
  2. 2. Table Of Contents 1. Why Information Is Important?.......................................................................................1 1.1. Why Information Hiding or Data Privacy?...............................................................1 2. Data Encryption Approach..............................................................................................2 2.1. Solution: Encryption Fundamentals Based on Private & Public Keys (PKI Approach)........................................................................................................................2 3. Encryption Standards.......................................................................................................3 3.1. Security Level 1........................................................................................................3 3.2. Security Level 2........................................................................................................4 3.3. Security Level 3........................................................................................................5 3.4. Security Level 4........................................................................................................6 4. Encryption Algorithms.....................................................................................................7 4.1. Applications Based on Encryption Standards...........................................................8 5. Conclusion.......................................................................................................................9 6. References......................................................................................................................10 i
  3. 3. 1. Why Information Is Important? The modern world is fast-changing & dynamic and is surviving / thriving on awareness & knowledge. The development & progress is much faster than ever has been known before owing to the availability of information. In today’s world – everything is being driven through information. It is only through information that we are able to control the activities, procedures, & processes existing in this world. Thanks to mobile communication that with a phone call, we can reach a person anywhere anytime and get whatever information we seek. Some people have quite rightly believed that knowledge/information is power. If a person is well-informed, then can use this awareness constructively or destructively and be at an advantage to his adversaries & competitors. Organizations working in different technology domains like to keep their R&D findings and their products in the conceptualization stage as confidential as they are often concerned that competitors can imitate those ideas or (mis)use those findings to their advantage. 1.1. Why Information Hiding or Data Privacy? Thus confidentiality is of prime importance and critical information hiding/privacy is a must. It is even more significant in defense organizations whose information can change the lives/security of the nations. This being the age of Electronics & Information Technology, majority of the information of large enterprises is maintained on machines in the form of data. This information is very sensitive & several mission critical applications depend upon this information. Any intruder who may get access to this information can not only leak the information but also alter/tamper this information which can lead Outworks Solutions Private Limited Confidential Page 1 of 10
  4. 4. to malfunctioning of the defense/mission-critical systems. This certainly can create havoc to the future of such organizations & nations. Thus information hiding is a must – so that information does not get (mis)interpreted and never leaked out and also protected at all costs from any kind of tampering. 2. Data Encryption Approach By performing data encryption, the information represented as data is transformed into a secret code which has to be decrypted to derive any meaning out of it. Thus secure data encryption helps a lot as an authentic & authorized password is required to decrypt the encrypted data to obtain any meaningful information from it. Also by ensuring authentic & authorized users to login to certain systems like Laptops, Pamtops, etc. information can be prevented from being accessed & altered. 2.1. Solution: Encryption Fundamentals Based on Private & Public Keys (PKI Approach) Encryption using 2 keys is based on the following conditions: i. Each user possesses a private key & a public key ii. Private & public keys are independent of each other and no one key can be derived from the other iii. Encryption done using the public key can only be decrypted by it’s private key Outworks Solutions Private Limited Confidential Page 2 of 10
  5. 5. Thus a pair of private & public keys is generated for each user. The users are allowed to share their public keys with each other but not their private key. If there are two users A & B, then let PuKA & PvKA and PuKB & PvKB be public & private keys of A and B respectively. A certified authority (CA) shall share PuKA with B and PuKB with A. When A shall send data to B, then A shall encrypt using PuKB and B shall decrypt using PvKB. Similarly when B shall send data to A, B shall encrypt using PuKA and A shall decrypt using PvKA. If some other user C tries to tap data sent by A or B, then C shall not be able to interpret it as it does not have the private keys of A & B for decryption. Some other user C could (mis)use the public key of B to send messages to B encrypted using the public key of B acting like A and B would be able to decrypt the messages using it’s private key. However, C would be required to provide the security credentials (digital signature possibly) in the encrypted message sent to B. Thus B would be able to make out from the security credentials that message is from someone other than A and B would not allow that message to be processed if only A is allowed to send that message. 3. Encryption Standards Besides this approach of PKI for encryption, there are various encryption standards published like FIPS PUBS 140-2, etc. This standard is a requirement for various cryptographic modules. This standard describes the four levels of security with 1 being the lowest level & 4 being the highest. 3.1. Security Level 1 Security Level 1 provides the lowest level of security. Basic security requirements are specified for a cryptographic module (e.g., at least one Approved algorithm or Outworks Solutions Private Limited Confidential Page 3 of 10
  6. 6. Approved security function shall be used). No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components. An example of a Security Level 1 cryptographic module is a personal computer (PC) encryption board. Security Level 1 allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an unevaluated operating system. Such implementations may be appropriate for some low-level security applications when other controls, such as physical security, network security, and administrative procedures are limited or nonexistent. The implementation of cryptographic software may be more cost- effective than corresponding hardware-based mechanisms, enabling organizations to select from alternative cryptographic solutions to meet lower- level security requirements. 3.2. Security Level 2 Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or for pick-resistant locks on removable covers or doors of the module. Tamper-evident coatings or seals are placed on a cryptographic module so that the coating or seal must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module. Tamper-evident seals or pick-resistant locks are placed on covers or doors to protect against unauthorized physical access. Security Level 2 requires, at a minimum, role-based authentication in which a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services. Security Level 2 allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an Outworks Solutions Private Limited Confidential Page 4 of 10
  7. 7. operating system which is trusted & evaluated. A trusted operating system provides a level of trust so that cryptographic modules executing on general purpose computing platforms are comparable to cryptographic modules implemented using dedicated hardware systems. 3.3. Security Level 3 In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to CSPs held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper detection/response circuitry that zeroizes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened. Security Level 3 requires identity-based authentication mechanisms, enhancing the security provided by the role-based authentication mechanisms specified for Security Level 2. A cryptographic module authenticates the identity of an operator and verifies that the identified operator is authorized to assume a specific role and perform a corresponding set of services. Security Level 3 requires the entry or output of plaintext CSPs (including the entry or output of plaintext CSPs using split knowledge procedures) be performed using ports that are physically separated from other ports, or interfaces that are logically separated using a trusted path from other interfaces. Plaintext CSPs may be entered into or output from the cryptographic module in encrypted form (in which case they may travel through enclosing or intervening systems). Outworks Solutions Private Limited Confidential Page 5 of 10
  8. 8. Security Level 3 allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an operating system which is trusted & evaluated. An equivalent evaluated trusted operating system may be used. The implementation of a trusted path protects plaintext CSPs and the software and firmware components of the cryptographic module from other untrusted software or firmware that may be executing on the system. 3.4. Security Level 4 Security Level 4 provides the highest level of security defined in this standard. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate zeroization of all plaintext CSPs. Security Level 4 cryptographic modules are useful for operation in physically unprotected environments. Security Level 4 also protects a cryptographic module against a security compromise due to environmental conditions or fluctuations outside of the module's normal operating ranges for voltage and temperature. Intentional excursions beyond the normal operating ranges may be used by an attacker to thwart a cryptographic module's defenses. A cryptographic module is required to either include special environmental protection features designed to detect fluctuations and zeroize CSPs, or to undergo rigorous environmental failure testing to provide a reasonable assurance that the module will not be affected by fluctuations outside of the normal operating range in a manner that can compromise the security of the module. Outworks Solutions Private Limited Confidential Page 6 of 10
  9. 9. Security Level 4 allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an operating system which is trusted & evaluated. An equivalent evaluated trusted operating system may be used. 4. Encryption Algorithms The Data Encryption Standard (DES) specifies two FIPS approved cryptographic algorithms as required by FIPS 140-1. When used in conjunction with American National Standards Institute (ANSI) X9.52 standard, this publication provides a complete description of the mathematical algorithms for encrypting (enciphering) and decrypting (deciphering) binary coded information. Encrypting data converts it to an unintelligible form called cipher. Decrypting cipher converts the data back to its original form called plaintext. The algorithms described in this standard specifies both enciphering and deciphering operations which are based on a binary number called a key. A DES key consists of 64 binary digits ("0"s or "1"s) of which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not used by the algorithm, may be used for error detection. The 8 error detecting bits are set to make the parity of each 8-bit byte of the key odd, i.e., there is an odd number of "1"s in each 8-bit byte1. A TDEA key consists of three DES keys, which is also referred to as a key bundle. Authorized users of encrypted computer data must have the key that was used to encipher the data in order to decrypt it. The encryption algorithms specified in this standard are commonly known among those using the standard. 1. Sometimes keys are generated in an encrypted form. A random 64-bit number is generated and defined to be the cipher formed by the encryption of a key using a key encrypting key. In this case the parity bits of the encrypted key cannot be set until after the key is decrypted. Outworks Solutions Private Limited Confidential Page 7 of 10
  10. 10. 2. Security of the data depends on the security provided for the key used to encipher and decipher the data. Data can be recovered from cipher only by using exactly the same key used to encipher it. Unauthorized recipients of the cipher who know the algorithm but do not have the correct key cannot derive the original data algorithmically. However, it may be feasible to determine the key by a brute force “exhaustion attack.” Also, anyone who does have the key and the algorithm can easily decipher the cipher and obtain the original data. A standard algorithm based on a secure key thus provides a basis for exchanging encrypted computer data by issuing the key used to encipher it to those authorized to have the data. Data that is considered sensitive by the responsible authority, data that has a high value, or data that represents a high value should be cryptographically protected if it is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. A risk analysis should be performed under the direction of a responsible authority to determine potential threats. The costs of providing cryptographic protection using this standard as well as alternative methods of providing this protection and their respective costs should be projected. A responsible authority then should make a decision, based on these analyses, whether or not to use cryptographic protection and this standard. 4.1. Applications Based on Encryption Standards Data encryption (cryptography) is utilized in various applications and environments. The specific utilization of encryption and the implementation of the DES and TDEA1 will be based on many factors particular to the computer system and its associated components. In general, cryptography is used to protect data while it is being communicated between two points or while it is stored in a medium vulnerable to physical theft. Communication security provides Outworks Solutions Private Limited Confidential Page 8 of 10
  11. 11. protection to data by enciphering it at the transmitting point and deciphering it at the receiving point. File security provides protection to data by enciphering it when it is recorded on a storage medium and deciphering it when it is read back from the storage medium. In the first case, the key must be available at the transmitter and receiver simultaneously during communication. In the second case, the key must be maintained and accessible for the duration of the storage period. FIPS 171 provides approved methods for managing the keys used by the algorithms specified in this standard. 5. Conclusion Since data security is of paramount importance to Organizations/Enterprises, they are investing heavily for physical security, information security, etc. Some organizations do not allow taking out of information without prior approvals & security checks. The IT & MIS departments of the organizations have introduced fool-proof systems which prevent taking out of data using floppies or via e-mail. Such organizations have also introduced Internet Sentinels which prevent sending the data via Internel mail as well as preventing attachments for secret artifacts. Sometimes, Organizations / Enterprises need to destroy secret/proprietary information after using it – so that it cannot be (mis)used. It is often seen that data stored on hard disks – if deleted can be recovered even after deletion using certain recovery tools. Thus sometimes even the magnetic media has to be destroyed alongwith the data. This meant physical destruction of data stores which was proving very costly for companies and some other solution better solution was required to allow re-use of data stores. Thus encryption of data proved to be a very strong solution as data may be recovered but only in encrypted form preventing any (mis)use. Outworks Solutions Private Limited Confidential Page 9 of 10
  12. 12. This goes to show that Information security is vital for an organization’s survival and cannot be done without and data encryption is a means which automates information secrecy with the least of manual intervention. However, this technology has to mature further as still there are no means to prevent destruction of mission-critical information through physical means and the only solution at present is to maintain backups. 6. References S.# Section# Reference Author URL 1 2 Public Key Oracle http://download- . Infrastructur Corporati uk.oracle.com/docs/cd/B14117_01/network.101/b10777/pki.htm e Approach on To Security 2 3 FIPS 140-2: National http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf . Security Institute Requireme of nts for Standard Cryptograp s& hic Modules Technolo gy 3 4 Data National http://www.itl.nist.gov/fipspubs/fip46-2.htm . Encryption Institute Standard of (DES) Standard s& Technolo gy Outworks Solutions Private Limited Confidential Page 10 of 10

×