Upload
noelia-ratcliffe
View
220
Download
6
Tags:
Embed Size (px)
Citation preview
Encryption: Choosing the Right Tool for the Job
Presented by
Harry Smith InstructorInformation & Communications TechnologyUniversity of DenverEmail: [email protected]
Yogi Berra
“In theory, there is no difference between theory and practice. In practice there is.”
HIPAA Breach Notification
What is Encryption?
Encryption is a process that transforms ordinary “plaintext” representations of information into secure “ciphertext” representations.
plaintext ciphertext
Three Cryptographic Primitives
• symmetric ciphers (“secret-key” cryptography)• hashes (message digests)• asymmetric ciphers (“public-key” cryptography)
Symmetric CiphersSymmetric ciphers translate “plaintext” into “ciphertext.” The recipient of the ciphertext must have the secret “key” in order to translate the ciphertext back to its original plaintext form. Symmetric ciphers are useful for keeping secrets.
Symmetric Cipher
“plaintext”
“ciphertext”
Bob AliceSymmetric
Cipher
“ciphertext”
“plaintext”
Hashes
A “hash” is a fixed-length representation of a message. It is useful for detecting message tampering. Hashes are also known as “message digests.”
Hash Function
“message”
“message digest”
Bob Alice
Hash Function
“message”
“message digest”
Asymmetric Ciphers
Asymmetric ciphers encrypt data with a “public key.” Only the owner of the corresponding “private key” can decrypt the ciphertext. Asymmetric ciphers are useful for key agreement and for message authentication.
Asymmetric Cipher
“secret key”
“ciphertext”
Bob AliceAsymmetric
Cipher
“ciphertext”
“secret key”Alice’s public
key
Alice’s private key
Combining Primitives
Cryptographic primitives are the elements of which compound cryptographic services are constructed.
Hash Function
“My kitty is five years old.”
“a137f5719e2b3cb7”
Symmetric Encryption Function
PHI
Secured PHI
Cryptographic Services
The three cryptographic primitives are the “elements” that combine to produce various cryptographic services.
digital signatureskey agreement schemesvirtual private networkingweb site authentication“signed” codemessage integrity codeschallenge-response protocolsdata confidentialitynon-repudiation
and many more …
Encryption Products
Commercial vendors offer a number of hardware and software products that each contain some combination of cryptographic services.
SecureDiscCrypto CompleteCenturionMailTrueCryptOpenSSLPGPNetMeetingIPSec/9000HushMail
and many more …
Choosing the Right Tool for the Job
To navigate your way through a bewildering array of claims and counter-claims by rival vendors, you must adopt a systematic approach:
1. What, exactly, is the job?2. Which cryptographic algorithms are used?3. Which configuration options should I choose?4. How are the keys protected?5. What will it cost?6. Has the product been certified?
Six PHI Exposures
• email• web sites• remote system access• backup media• laptops• databases
eMailThere are several approaches to encrypting email. The two most popular are “S/MIME” and “PGP.” S/MIME support is built into many popular client email programs such as Microsoft Outlook. PGP support is provided by the “Pretty Good Privacy” vendor product and by its open source equivalents.
Popular Email Security Products
secure emailsearch the web
Microsoft Outlook (http://office.microsoft.com/en-us/outlook/)
Built-in support for S/MIME encryption and digital signatures. Users must obtain their own digital ids from a public certificate authority such as Verisign.
PGP (http://www.pgp.com/)
Encryption and authentication built on “ring of trust” concept. Good for small, informal groups.
HushMail (http://www.hushmail.com/)
Free, web-based secure email solution. Integrates with most popular email client software.
Web Sites
The technology used to protect data that is transmitted over the world wide web is known as “Secure Sockets Layer (SSL).” A more advanced version of SSL is “Transport Layer Security (TLS).” SSL/TLS support is built into most popular browsers and web server products.
Popular Web Security Products
secure web hostingsearch the web
Yahoo Small Business (http://smallbusiness.yahoo.com/webhosting/)
Web hosting service plus design tools including SSL protection.
JustHost (http://www.justhost.com/)
Extremely cost-effective web hosting choice with bundled SSL support.
iPage (http://www.ipage.com/ipage/index.html)
Web hosting offering founded by industry veterans. Includes no-cost full suite of security tools.
Remote System Access
“Road warriors,” who access data on home office servers, are protected by “virtual private network (VPN)” technology. Several commercial products provide support for VPNs.
Popular VPN Products
virtual private networksearch the web
OpenVPN (http://openvpn.net/)
Open source (i.e. “free”) VPN client and server downloads.
Cisco (http://www.cisco.com/en/US/products/hw/vpndevc/index.html)
Hardware VPN solutions from the de facto leader in router technology.
Netopia (http://www.netopia.com/index_en.jsp)
Full assortment of VPN routers and hardware acceleration devices.
Backup Media
Standalone encryption programs can be used to encrypt backup tapes and disks that are transported to a recovery site. Some backup programs incorporate an encryption step into the backup process.
Popular Secure Backup Products
secure backupsearch the web
Tivoli Storage Manager (http://www-01.ibm.com/software/tivoli/products/storage-mgr/)
Tape backup solution from IBM. More appropriate for large organizations.
Carbonite (http://www.carbonite.com/en-us/default.aspx?re=1)
Online encrypted backup suitable for small organizations.
EVault (http://www.i365.com/)
Family of software encrypted backup solutions designed for multiple environments.
Laptops(… and other portable devices)
Information stored on a laptop is vulnerable, even if it is protected by strong passwords. An attacker can remove the hard drive from a stolen laptop and mount it on a system that he or she controls. “Encrypting file systems” and “full disk encryption” products can be used to protect laptop data.
Popular Laptop Encryption Products
secure laptopsearch the web
TrueCrypt (http://www.truecrypt.org/)
Open source (free) encryption solution for Windows, Mac and Linux. Encrypts whole disk, selected files, jump drives, etc.
EFS (http://technet.microsoft.com/en-us/library/cc700811.aspx)
“Encrypting File System” standard component of Microsoft Windows XP systems. Very easy to use.
BitLocker (http://www.microsoft.com/windows/windows-7/features/bitlocker.aspx)
Full disk encryption feature built into Microsoft Windows 7 systems. Superior to EFS.
DatabasesAn attacker who hacks into a database server may be able to bypass database access controls and view data on the hard drive. Encryption features that are built into most popular database management systems can be used to preclude this possibility.
application database
encrypted data
keys
Popular Database Encryption Products
database encryptionsearch the web
SQL Server (http://technet.microsoft.com/en-us/library/cc278098(SQL.100).aspx)
Microsoft’s “transparent data encryption” feature offers an extremely granular and programmer-friendly approach to database encryption.
Oracle (http://www.oracle.com/index.html)
Multiple built-in encryption technologies more oriented toward the database administrator.
BSAFE (http://www.rsa.com/products/bsafe/whitepapers/DDES_WP_0702.pdf)
Serious approach to database encryption strategies from the company that invented asymmetric ciphers.
Choosing the Right Tool for the Job
To navigate your way through a bewildering array of claims and counter-claims by rival vendors, you must adopt a systematic approach:
1. What, exactly, is the job?2. Which cryptographic algorithms are used?3. Which configuration options should I choose?4. How are the keys protected?5. What will it cost?6. Has the product been certified?
Cryptographic Algorithms
Cryptographic algorithms are the recipes used to implement the cryptographic primitives. The standards have been subject to the most exhaustive testing. Never use a proprietary algorithm.
Symmetric ciphers – Advanced Encryption Standard (AES) Triple-DES
Hashing – Secure Hash Algorithm (SHA)
Asymmetric Ciphers – “Rivest-Shamir-Adleman” (RSA) Diffie-Hellman (DH) Elliptic Curve Cryptography (ECC) El Gamal
Choosing the Right Tool for the Job
To navigate your way through a bewildering array of claims and counter-claims by rival vendors, you must adopt a systematic approach:
1. What, exactly, is the job?2. Which cryptographic algorithms are used?3. Which configuration options should I choose?4. How are the keys protected?5. What will it cost?6. Has the product been certified?
Configuration Options
The types of configuration options that you must select depend on the cryptographic services that you need.
key size: symmetric ciphers – 128 bits hashes – 160 bits asymmetric ciphers -2300 bits
algorithms – stay with the standards
key storage – external
Follow the guidance! (Federal Register Vol. 74 No. 79, April 27, 2009)
Breach Notification Guidance
PHI may be rendered “… unusable, unreadable, or indecipherable to unauthorized individuals for the purposes of the breach notification requirements …” if it is encrypted according to the specifications listed in the following publications:
FIPS PUB 140-2 Security Requirements for Cryptographic Modules
(Note: All FIPS PUBs can be downloaded free of charge at http://www.itl.nist.gov/fipspubs/)
NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
(Note: All NIST Special Publications can be downloaded free of charge at http://csrc.nist.gov/publications/PubsSPs.html)
Breach Notification Guidance (cont)
NIST SP 800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
NIST SP 800-77 Guide to IPsec VPNs NIST SP 800-113 Guide to SSL VPNs
NIST SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountablilty Act (HIPAA) Security Rule (Note: All NIST Special Publications can be downloaded free of charge at http://csrc.nist.gov/publications/PubsSPs.html)
Choosing the Right Tool for the Job
To navigate your way through a bewildering array of claims and counter-claims by rival vendors, you must adopt a systematic approach:
1. What, exactly, is the job?2. Which cryptographic algorithms are used?3. Which configuration options should I choose?4. How are the keys protected?5. What will it cost?6. Has the product been certified?
Key Management
Key management deals with the generation, distribution and storage of encryption keys.
Generation – Is the process truly random?
Distribution – The access control problem shifts from the PHI to the encryption key.
Storage – The cryptosystem is no stronger than the security used to protect the keys.
Choosing the Right Tool for the Job
To navigate your way through a bewildering array of claims and counter-claims by rival vendors, you must adopt a systematic approach:
1. What, exactly, is the job?2. Which cryptographic algorithms are used?3. Which configuration options should I choose?4. How are the keys protected?5. What will it cost?6. Has the product been certified?
Encryption Cost Factors
There is more to the price of encryption than the cost of the products.
hardware and software costssupport issuesconsulting coststraining costsloss of response time or throughputloss of functionalityadditional personnel
Choosing the Right Tool for the Job
To navigate your way through a bewildering array of claims and counter-claims by rival vendors, you must adopt a systematic approach:
1. What, exactly, is the job?2. Which cryptographic algorithms are used?3. Which configuration options should I choose?4. How are the keys protected?5. What will it cost?6. Has the product been certified?
Product CertificationSeveral organizations test the strength and reliability of information security products, but only the labs designated by the National Institute of Science and Technology (NIST) are qualified to evaluate the validity of cryptographic implementations.
Cryptographic Module Validation Program (CMVP) (http://csrc.nist.gov/groups/STM/cmvp/index.html)
Checks the validity of hardware implementations of cryptographic primitives.
Cryptographic Algorithm Validation Program (CAVP) (http://csrc.nist.gov/groups/STM/cavp/index.html)
Checks the validity of software implementations of cryptographic algorithms.
Questions?