Encryption Primer

PACMG

Cathy Nolan

03/26/2008

2

Encryption Primer

Encryption Overview Why Encrypt Encrypting ‘Data at Rest’ Performance Considerations Summary

3

What is Encryption?

Cryptology is the science of encryption– Cryptography

• Literally means hidden writing

• Is the process of making and using codes to secure communication

– Cryptanalysis• Is the process of obtaining the original message

from an encrypted message without knowing the algorithms or keys used for encryption

4

What is Encryption?

More on Cryptology – Encryption

• The process of changing plaintext into ciphertext

– Decryption • Is the process of changing ciphertext into plaintext

5

What is Encryption?

History– 1900 B.C. – one of the earliest documented forms of

written cryptography – Caesar Cipher– Used during prohibition era– Navajo Codetalkers

Used in every day life today– Ordering coffee at Starbucks– Daily cryptograms– Internet transactions– Email exchanges

6

What is Encryption?

All kinds of uses

SECRET = VHFUHW

Caesar Cipher or Super Hero Code Ring

Secure Web SiteCryptogram

7

What’s So Hard About That?

Encryption is a subset of security– Our basic concept of security is to lock

something with a key.– Security plans are are designed around

• Authentication (Person or Equipment looking for data)• Confidentiality (can’t read it if you find it)• Integrity (not altered in transit)• Non-repudiation (logging who did what and when)

8

What’s So Hard About That?

What kind of key Asymmetric (Public) keys

– Uses a combination of public and private keys– Doesn’t require a secure exchange for the public

key– Can be very CPU intensive

Symmetric (Private) keys– Same key is used for encryption and decryption– Requires a secure exchange which is

complicated and not always secure

9

What’s So Hard About That?

Hashing Algorithms– Create a hash value also known as a message

digest – Ensures data has not been altered in transit

Secure Hash Standard (SHS)– Issued by the National Institute of Standards

and Technology (NIST)– Specifies Secure Hash Algorithm 1 (SHA-1) as

a secure algorithm Keys + Hash = Confidentiality + Integrity

10

Public Key Encryption(AKA Asymmetric)

Step 1: Cathy uses John’s public key to encrypt message

Step 2: John uses his private key to decrypt message

Plaintext Ciphertext PlaintextJohn’s Public Key John’s Private Key

11

Private Key Encryption(AKA Symmetric)

Step 1: Cathy uses a private key to encrypt message

Step 2: John uses the same private key to decrypt message

Plaintext Ciphertext PlaintextKey 00110011 Key 00110011

12

Ciphers Plaintext can be encrypted through one of

two methods – Block Ciphers

• Message is divided into fixed blocks • Each block of plaintext bits is transformed into an

encrypted block of cipherext bits• Use algorithm functions including exclusive OR

(XOR), substitution or transposition

– Stream Ciphers• Processes message bit by bit• Often use XOR algorithm

13

Ciphers

Simple Stream Cipher

Simple Block Cipher

Plaintext

Ciphertext

Key

Substitution

XOR

Key

Plaintext

Ciphertext

Bit

BitB

lock

Block

14

Encryption Algorithms

RSA– an asymmetric key algorithm that offers both

encryption and digital signatures (authentication) created by mathematicians Ron Rivest, Adi Shamir and Len Adleman

DES/3DES– Data Encryption Standard– Developed by IBM– Is considered to be the best known and widely

used symmetric algorithm in the world.

15

Encryption Algorithms

AES– Has now emerged as the successor of

DES/3DES– Is intended to be the block cipher standard for

the next 15-25 years Blowfish

– Similar to DES, but uses a variable-length key– This strong encryption algorithm is unpatented

and license-free – Available to the public at no cost.

16

Encryption Algorithms

IDEA– Also known as International Data Encryption

Algorithm (IDEA)– While IDEA is patented in several countries, it

is available for non-commercial use– Was incorporated into Pretty Good Privacy

(PGP) V2.0 Skipjack

– is an algorithm developed by the National Security Agency and declassified in June 1998

17

Business Drivers Consumer Identity Theft

– Credit Card Fraud– Phone or Utilities Fraud– Bank Fraud– Employment-related Fraud– Government Documents / Benefits Fraud– Loan Fraud– Loss of Data

Consumer Identity Theft Consequences– Additional impacts to consumer and business– Legislation

18

The Hardest Questions

What Data Needs to Be Encrypted– Data in Motion– Data at Rest– How do I determine what needs to be encrypted– How do I manage the keys

19

Data In Motion

WAN

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

HITACHI

Encrypted text

Encrypted textPlain text

Plain text

Data-in-motion isencrypted as it

leaves the source location and is decrypted as it arrives at its destination

location

20

Data At Rest

SAN

HITACHI

HITACHI

HITACHI

HITACHI

Tape

Tape

Tape

Disk

Tape

Plain text

Plain text

Encrypted text

Data-at-Rest is concerned with protecting data as it sits at-rest in a database or on a device that

is not transversing the

network

21

What Data Should Be Encrypted? Some Considerations

– Has the organization’s data been classified– How much data is classified as public vs. non-

public – Where is that data stored– Why type of data needs to be protected (e.g.

database information, etc.)– Is the data duplicated or replicated to a remote

site for DR or audit purposes– How is the data transported or replicated to

the remote site

22

Key Management

Where are my keys– How are the keys created – Who maintains the keys– Who has access to the keys– Vital for at-rest security– Losing the keys loses the data– Needs to allow for recovery of data for years

23

Key Management

24

Encryption Market Space

Encryption Market Space– Gaining in maturity, still evolving, not all

standards have been set – Key management is a critical component– Mismanagement of keys could lead to the

potential that data could not be restored– Major players have finally entered market – Minor players are for the most part small,

venture capital firms

25

Encryption Market Space

Encryption Market Space

MF

WINDOWS

Decru/Netapp CipherMax

PGP Unylogix

Falcon Store IngrianVormetric RSA/EMC

Veritas/Symantec NBU

O/S Encryption Options

Linux/UNIX

MegaCryption

CA

EFSSun/STKIBM

26

Encryption Options

Software solution– Application Based Encryption

Hybrid solution – Application Aware Encryption

Hardware solution• Inline Encryption Appliance

Tape Drive solution O/S Level

27

Encryption Options

Considerations– What data are you trying to protect– How much data are you trying to protect– Where is the data– Does the data have to move anywhere– What solution(s) can meet your needs without

introducing complexity

28

Performance Impacts

Application– Database impacts

CPU– Software encryption uses CPU cycles

Network– Do you need to move data over the network

Tape Drive– Compression

29

Summary

Data needs to be protected Encryption is one option But encrypting data has its challenges Consider short term and long term

expectations for data protection Research is an absolute necessity

30

?

Questions