Encryption Overview Brad Judy Brad Judy Kerry Havens Kerry Havens IT Security Office IT Security Office
Encryption Overview
Brad JudyBrad JudyKerry HavensKerry Havens
IT Security OfficeIT Security Office
Outline
Brief historyBrief history Concepts and termsConcepts and terms Types of encryptionTypes of encryption ProductsProducts ScenariosScenarios
Diffie-HellmanPublic key crypto1976 CE - USA
Mary Queen of ScotsLost her head1587 CE – London
Abu Yusuf al-KindiFrequency analysis850 CE - Baghdad
Julius CeasarSubstitution cipher45 BCE - Rome
EnigmaCommercial crypto1923 CE - Germany
Very brief historyVery brief history
Secret Decoder Ring Encryption
Word = Word = HaagenHaagen DazsDazs Key =Key =
Inside B at outside GInside B at outside G Encode inside toEncode inside to
outsideoutside Encrypted word = Encrypted word = mffljsmffljs
ifexifex
Secret Decoder Ring Decryption
Encrypted word = Encrypted word = mffljsmffljsifexifex
Key =Key = Inside B at outside GInside B at outside G
Decode outside toDecode outside toinsideinside
Word = Word = HaagenHaagen DazsDazs
Basic terms
Primary components of data encryption:Primary components of data encryption: Data (Data (HaagenHaagen DazsDazs)) Encryption algorithm (Caesar cipher - ring)Encryption algorithm (Caesar cipher - ring)
3DES, AES, RSA, etc3DES, AES, RSA, etc
Encryption key (offset Encryption key (offset –– alignment of rings) alignment of rings) Passwords, tokens, special filesPasswords, tokens, special files
Encrypted data (Encrypted data (mffljsmffljs ifexifex))
Encryption by algebra
Combination 14-32-27Combination 14-32-27
Secret number (combination + secret number)Secret number (combination + secret number)= scrambled number= scrambled number
Shortened 143227Shortened 143227
Secret number = 6Secret number = 6
Encryption by algebra
6 (143227 + 6) = scrambled number6 (143227 + 6) = scrambled number 6 (143227 + 6) = 8593986 (143227 + 6) = 859398 859398 is the encrypted combination859398 is the encrypted combination
Combination = 143227Combination = 143227 Secret number = 6Secret number = 6
Secret number (combination + secret number)Secret number (combination + secret number)= scrambled number= scrambled number
Decryption by algebra
6 (combination + 6) = 8593986 (combination + 6) = 859398 (combination + 6) = 143233(combination + 6) = 143233 143227 is the combination143227 is the combination
Secret number = 6Secret number = 6
Secret number (combination + secret number)Secret number (combination + secret number)= scrambled number= scrambled number
Scrambled = 859398Scrambled = 859398
Basic terms
Primary components of data encryption:Primary components of data encryption: Data (combination)Data (combination) Encryption algorithm (equation)Encryption algorithm (equation)
3DES, AES, RSA, etc3DES, AES, RSA, etc
Encryption key (secret number)Encryption key (secret number) Passwords, tokens, special filesPasswords, tokens, special files
Encrypted data (scrambled number)Encrypted data (scrambled number)
One key, two key…
Same key encrypts and decryptsSame key encrypts and decrypts(synchronous)(synchronous) Classic password key encryptionClassic password key encryption
One key for encrypting, different key forOne key for encrypting, different key fordecrypting (asynchronous)decrypting (asynchronous) Public-key encryptionPublic-key encryption Digital signatures (one key signs,Digital signatures (one key signs,
one verifies)one verifies)
When to use encryption
If sensitive data and prying eyes may meetIf sensitive data and prying eyes may meet Sensitive dataSensitive data
SSN, PII, financial, medical, passwords, etcSSN, PII, financial, medical, passwords, etc Potential for exposure to prying eyesPotential for exposure to prying eyes
Transmission over networkTransmission over network Theft/lossTheft/loss System hackedSystem hacked Must give access to an Must give access to an untrusteduntrusted party party
More terms
At rest At rest –– data is written on a storage data is written on a storagedevice (disk, tape, CD, thumb drive,device (disk, tape, CD, thumb drive,etc)etc)
In transit In transit –– data is being transmitted data is being transmittedover a networkover a network
““stickinessstickiness”” –– the quality of encryption the quality of encryptionto stay with a file as it is transferredto stay with a file as it is transferredbetween disks or computersbetween disks or computers
Where can we encrypt?
NetworkNetwork DiskDisk File/folderFile/folder E-mailE-mail DatabaseDatabase
Network encryption
SSL SSL –– web (HTTPS) and more web (HTTPS) and more SSH SSH –– terminal, files and more terminal, files and more IPSecIPSec
Any traffic, but requires client andAny traffic, but requires client andserver configurationserver configuration
WPA and WEPWPA and WEP Wireless only, WEP not consideredWireless only, WEP not considered
securesecure
Network encryption products
Generally built into OS or applicationGenerally built into OS or application Hardware acceleration options for SSLHardware acceleration options for SSL
and IPSecand IPSec Wireless encryption requires hardwareWireless encryption requires hardware
supportsupport
Disk encryption
Encrypt entire contents of disk orEncrypt entire contents of disk orvolumevolume
Typically requires key at bootTypically requires key at boot Encryption does not Encryption does not ““stickstick”” to files to files Boot drive Boot drive vsvs non-boot drive non-boot drive Good for theft/loss, but not hackingGood for theft/loss, but not hacking
Disk encryption products
Some OS integrated optionsSome OS integrated options EFS, EFS, BitlockerBitlocker
Third-party softwareThird-party software PGP, PGP, UtimacoUtimaco, , PointSecPointSec, etc, etc
Hardware level disk encryption beginningHardware level disk encryption beginningto show upto show up
File/folder encryption
Encrypt individual files or groups ofEncrypt individual files or groups offilesfiles
Encryption may Encryption may ““stickstick”” to files to files Can be difficult to manage withCan be difficult to manage with
multiple usersmultiple users Can be good for theft/loss, hackingCan be good for theft/loss, hacking
and and untrusteduntrusted party party
File/folder encryption products
Some OS integrated optionsSome OS integrated options EFS, EFS, FileVaultFileVault
Third-party softwareThird-party software PGP, PGP, UtimacoUtimaco, etc, etc Freeware apps (Freeware apps (GnuPGGnuPG, , TrueCryptTrueCrypt, etc), etc)
E-mail encryption
Encrypt e-mail attachmentEncrypt e-mail attachment Encrypt entire message (cannotEncrypt entire message (cannot
encrypt headers)encrypt headers) Recipient must be able to decryptRecipient must be able to decrypt Good for transmission over aGood for transmission over a
networknetwork
E-mail encryption products
Most clients support S/MIME, but itMost clients support S/MIME, but itrequires issuing certificatesrequires issuing certificates
PGP/PGP/GNuPGGNuPG is very popular is very popular See file level encryption products forSee file level encryption products for
encrypting attachmentsencrypting attachments
Database encryption
Application layer Application layer –– smart app, but smart app, butno special DB requirementsno special DB requirements
Database layer Database layer –– DB requirements DB requirementsand maybe app requirementsand maybe app requirements
Disk encryption Disk encryption –– not useful for not useful formost database server attacksmost database server attacks
Database encryption products
Application layer depends on your appApplication layer depends on your appvendorvendor
Database layerDatabase layer Built-in optionsBuilt-in options
Oracle Advanced Security Option added to CUOracle Advanced Security Option added to CUlicenselicense
MS SQL 2005 added native encryption featureMS SQL 2005 added native encryption feature
Add-on encryption for DBAdd-on encryption for DB’’ss
Scenarios
Notebook with sensitive informationNotebook with sensitive information File server with sensitive informationFile server with sensitive information Sending sensitive e-mailsSending sensitive e-mails Web applications collecting informationWeb applications collecting information USB USB thumbdrivesthumbdrives
Protecting sensitive information
1 1 –– Get rid of the sensitive information Get rid of the sensitive information Remove entire filesRemove entire files Remove sensitive info from filesRemove sensitive info from files
2 2 –– Move sensitive info offline Move sensitive info offline 3 3 –– Protect sensitive info Protect sensitive info
Minimum security standards for private infoMinimum security standards for private info
Notebook with sensitive info
Primary threat: theft or lossPrimary threat: theft or loss Whole disk encryptionWhole disk encryption
Best guarantee of protecting dataBest guarantee of protecting data File/folder encryptionFile/folder encryption
Can protect data if users encrypt the right filesCan protect data if users encrypt the right files
File server with sensitive info
Primary threats: Hack, transmission overPrimary threats: Hack, transmission overnetwork, theft/loss of backupsnetwork, theft/loss of backups
File/folder encryption File/folder encryption –– may protect on all may protect on allcounts, but can be complicated withcounts, but can be complicated withmultiple usersmultiple users
Disk encryption Disk encryption –– doesn doesn’’t protect on anyt protect on anycountscounts
Sensitive E-mail
Threats: E-mail intercepted or accidentallyThreats: E-mail intercepted or accidentallyCCCC’’eded to wrong people to wrong people
E-mail encryption: can protect fromE-mail encryption: can protect fromaccidental disclosureaccidental disclosure
E-mail signing: only ensures validityE-mail signing: only ensures validity File/folder encryption: can protectFile/folder encryption: can protect
attachment onlyattachment only
Web applications
Threats: sensitive information isThreats: sensitive information isintercepted when sent to web server, webintercepted when sent to web server, webserver is spoofed/server is spoofed/phishedphished
SSL encryption can protect data in transitSSL encryption can protect data in transitand (if users are trained) can help themand (if users are trained) can help themverify it is the real serververify it is the real server
Data must then be protected at restData must then be protected at rest
USB thumbdrives
Threats: Theft/lossThreats: Theft/loss Whole disk encryption: Most productsWhole disk encryption: Most products
support USB drivessupport USB drives File/folder encryption: protects if the rightFile/folder encryption: protects if the right
files are encryptedfiles are encrypted
Encryption caveats Key managementKey management
You lose the keys, you lose the dataYou lose the keys, you lose the data Key generation, distribution, backup,Key generation, distribution, backup,
protection, etcprotection, etc Impact on system managementImpact on system management
Particularly on whole disk encryptionParticularly on whole disk encryption ““StickinessStickiness”” of encryption or lack thereof of encryption or lack thereof
Can confuse usersCan confuse users Can lead to unencrypted sensitive informationCan lead to unencrypted sensitive information