Upload
joao-galdino
View
957
Download
0
Embed Size (px)
Citation preview
Encryption Primer
PACMG
Cathy Nolan
03/26/2008
2
Encryption Primer
Encryption Overview Why Encrypt Encrypting ‘Data at Rest’ Performance Considerations Summary
3
What is Encryption?
Cryptology is the science of encryption– Cryptography
• Literally means hidden writing
• Is the process of making and using codes to secure communication
– Cryptanalysis• Is the process of obtaining the original message
from an encrypted message without knowing the algorithms or keys used for encryption
4
What is Encryption?
More on Cryptology – Encryption
• The process of changing plaintext into ciphertext
– Decryption • Is the process of changing ciphertext into plaintext
5
What is Encryption?
History– 1900 B.C. – one of the earliest documented forms of
written cryptography – Caesar Cipher– Used during prohibition era– Navajo Codetalkers
Used in every day life today– Ordering coffee at Starbucks– Daily cryptograms– Internet transactions– Email exchanges
6
What is Encryption?
All kinds of uses
SECRET = VHFUHW
Caesar Cipher or Super Hero Code Ring
Secure Web SiteCryptogram
7
What’s So Hard About That?
Encryption is a subset of security– Our basic concept of security is to lock
something with a key.– Security plans are are designed around
• Authentication (Person or Equipment looking for data)• Confidentiality (can’t read it if you find it)• Integrity (not altered in transit)• Non-repudiation (logging who did what and when)
8
What’s So Hard About That?
What kind of key Asymmetric (Public) keys
– Uses a combination of public and private keys– Doesn’t require a secure exchange for the public
key– Can be very CPU intensive
Symmetric (Private) keys– Same key is used for encryption and decryption– Requires a secure exchange which is
complicated and not always secure
9
What’s So Hard About That?
Hashing Algorithms– Create a hash value also known as a message
digest – Ensures data has not been altered in transit
Secure Hash Standard (SHS)– Issued by the National Institute of Standards
and Technology (NIST)– Specifies Secure Hash Algorithm 1 (SHA-1) as
a secure algorithm Keys + Hash = Confidentiality + Integrity
10
Public Key Encryption(AKA Asymmetric)
Step 1: Cathy uses John’s public key to encrypt message
Step 2: John uses his private key to decrypt message
Plaintext Ciphertext PlaintextJohn’s Public Key John’s Private Key
11
Private Key Encryption(AKA Symmetric)
Step 1: Cathy uses a private key to encrypt message
Step 2: John uses the same private key to decrypt message
Plaintext Ciphertext PlaintextKey 00110011 Key 00110011
12
Ciphers Plaintext can be encrypted through one of
two methods – Block Ciphers
• Message is divided into fixed blocks • Each block of plaintext bits is transformed into an
encrypted block of cipherext bits• Use algorithm functions including exclusive OR
(XOR), substitution or transposition
– Stream Ciphers• Processes message bit by bit• Often use XOR algorithm
13
Ciphers
Simple Stream Cipher
Simple Block Cipher
Plaintext
Ciphertext
Key
Substitution
XOR
Key
Plaintext
Ciphertext
Bit
BitB
lock
Block
14
Encryption Algorithms
RSA– an asymmetric key algorithm that offers both
encryption and digital signatures (authentication) created by mathematicians Ron Rivest, Adi Shamir and Len Adleman
DES/3DES– Data Encryption Standard– Developed by IBM– Is considered to be the best known and widely
used symmetric algorithm in the world.
15
Encryption Algorithms
AES– Has now emerged as the successor of
DES/3DES– Is intended to be the block cipher standard for
the next 15-25 years Blowfish
– Similar to DES, but uses a variable-length key– This strong encryption algorithm is unpatented
and license-free – Available to the public at no cost.
16
Encryption Algorithms
IDEA– Also known as International Data Encryption
Algorithm (IDEA)– While IDEA is patented in several countries, it
is available for non-commercial use– Was incorporated into Pretty Good Privacy
(PGP) V2.0 Skipjack
– is an algorithm developed by the National Security Agency and declassified in June 1998
17
Business Drivers Consumer Identity Theft
– Credit Card Fraud– Phone or Utilities Fraud– Bank Fraud– Employment-related Fraud– Government Documents / Benefits Fraud– Loan Fraud– Loss of Data
Consumer Identity Theft Consequences– Additional impacts to consumer and business– Legislation
18
The Hardest Questions
What Data Needs to Be Encrypted– Data in Motion– Data at Rest– How do I determine what needs to be encrypted– How do I manage the keys
19
Data In Motion
WAN
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
HITACHI
Encrypted text
Encrypted textPlain text
Plain text
Data-in-motion isencrypted as it
leaves the source location and is decrypted as it arrives at its destination
location
20
Data At Rest
SAN
HITACHI
HITACHI
HITACHI
HITACHI
Tape
Tape
Tape
Disk
Tape
Plain text
Plain text
Encrypted text
Data-at-Rest is concerned with protecting data as it sits at-rest in a database or on a device that
is not transversing the
network
21
What Data Should Be Encrypted? Some Considerations
– Has the organization’s data been classified– How much data is classified as public vs. non-
public – Where is that data stored– Why type of data needs to be protected (e.g.
database information, etc.)– Is the data duplicated or replicated to a remote
site for DR or audit purposes– How is the data transported or replicated to
the remote site
22
Key Management
Where are my keys– How are the keys created – Who maintains the keys– Who has access to the keys– Vital for at-rest security– Losing the keys loses the data– Needs to allow for recovery of data for years
23
Key Management
24
Encryption Market Space
Encryption Market Space– Gaining in maturity, still evolving, not all
standards have been set – Key management is a critical component– Mismanagement of keys could lead to the
potential that data could not be restored– Major players have finally entered market – Minor players are for the most part small,
venture capital firms
25
Encryption Market Space
Encryption Market Space
MF
WINDOWS
Decru/Netapp CipherMax
PGP Unylogix
Falcon Store IngrianVormetric RSA/EMC
Veritas/Symantec NBU
O/S Encryption Options
Linux/UNIX
MegaCryption
CA
EFSSun/STKIBM
26
Encryption Options
Software solution– Application Based Encryption
Hybrid solution – Application Aware Encryption
Hardware solution• Inline Encryption Appliance
Tape Drive solution O/S Level
27
Encryption Options
Considerations– What data are you trying to protect– How much data are you trying to protect– Where is the data– Does the data have to move anywhere– What solution(s) can meet your needs without
introducing complexity
28
Performance Impacts
Application– Database impacts
CPU– Software encryption uses CPU cycles
Network– Do you need to move data over the network
Tape Drive– Compression
29
Summary
Data needs to be protected Encryption is one option But encrypting data has its challenges Consider short term and long term
expectations for data protection Research is an absolute necessity
30
?
Questions