1 / 44

McAfee E-Business Server 7.1.1 Rob Heckman McAfee Security rheckman@nai

McAfee E-Business Server 7.1.1 Rob Heckman McAfee Security rheckman@nai.com. Agenda. Data Security E-Biz Server Introduction to Cryptography Using E-Biz Server Specific functions for OS/390 and z/OS B2B example. Defining the need for data security. What? Customer Information

locke
Download Presentation

McAfee E-Business Server 7.1.1 Rob Heckman McAfee Security rheckman@nai

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. McAfee E-Business Server 7.1.1 Rob Heckman McAfee Security rheckman@nai.com

  2. Agenda • Data Security • E-Biz Server • Introduction to Cryptography • Using E-Biz Server • Specific functions for OS/390 and z/OS • B2B example

  3. Defining the need for data security What? • Customer Information • Financial Data • Proprietary Company Information Where? • In Transit • In Storage • Outside the Organization • Inside the Organization Why? • Value of the Data • Reputation of the Company • Government Regulation • Cost Reduction Through Elimination of Leased Lines

  4. Is data security important? Source: IDC 2000

  5. Why is it important now? • INTERNET • B2B • Email • Online Shopping • Data on Personal PC’s and Palm type devices • Data on the Servers • Even though a product such as RACF can protect access to data, some people may still have access to it. • To get around this, it can be stored encrypted

  6. What is McAfee E-Business Server? • Protects the security and integrity of your organization’s data and messages • In storage or in transit • Based on public/private key encryption • Uses PGP keys, X.509 certificates, Self Decrypting Archives • Encrypts information using key pair

  7. What is McAfee E-Business Server? • Comprehensive Platform Choice • OS/390 and z/OS (Batch/TSO/USS) • Linux (including S/390 and zSeries) • Solaris • AIX • HPUX • Win32 • Additional Benefit when using INTERNET • Avoid have to use expensive private networks for communication • Avoid having to support multiple communication protocols

  8. What is Cryptography? • Science of Securing Information • Using Mathematics to encrypt and decrypt data • Crypto analysis is the science of analyzing and breaking secure communication

  9. Simple example • Julius Caesar • Used encryption to prevent his enemies from discovering his secrets and plans EHZDUH WKH LGHV RI PDUFK

  10. Simple example • Julius Caesar • Encrypted his messages with the shift by 3 rule or key • Substituted all A’s with D’s, B’s with E’s, C’s with F’s, etc… • Unless you knew the key you wouldn’t be able to decrypt message BEWARE THE IDES OF MARCH

  11. How does cryptography work? • Mathematical function or algorithm • Use a pass phrase to generate cipher text

  12. What is a KEY? • Value that works with a cryptographic algorithim to produce a specific ciphertext • Essentially very large numbers • The bigger the key, the more secure the ciphertext • Two types of keys • Symmetric (session) • Asymmetric (public/private) • Cryptographic algorithims • Triple DES • IDEA • CAST • TwoFish

  13. Conventional Cryptography • Secret key or symmetric key encryption

  14. Conventional Cryptography • Benefits • Fast • Great for data not going anywhere • Drawbacks • Two people must agree on a key and keep it secret • If in two different locations, must trust courier • email? Phone? • Number of keys grows very quickly (n^2-n) • What is a solution?

  15. Public key Cryptography

  16. Public key Cryptography • Asymmetric scheme that uses a pair of keys • Public and Private • Created by Whitefield Diffie and Martin Hellman in 1975 • Mathematical algorithm produces keys • Computationally infeasible to deduce private key from public key • Public key used to encrypt data • Private key to decrypt data • Three types • DSS • RSA • RSA legacy (no support for ADKs, designated revokers, photid)

  17. Public key Cryptography • Publish your public key to world while keeping private key secret • Someone with your public key can encrypt information that only you can read using your private key • Gets around problem of key distribution • No need for bat phone or cone of silence to distribute keys • Allows people with no preexisting security arrangements to exchange data securely • All communications involves only public keys

  18. How does encryption work?

  19. How does decryption work?

  20. Digital Signatures • Serves same purpose as handwritten signature • Let recipient of information verify • Authenticity • Verify the information’s origin • Data integrity • Information was not altered while in transit • Non-repudiation • Prevents sender from claiming the he or she did not actually send the information

  21. Digital Signatures • Encrypt with your private key • If decrypted with your public key then it must have originated with you • Some people use signatures more than encryption

  22. Digital Signatures

  23. Problems with this implementation • Slow • Lots of data produced • Sometimes twice as much as original • Can improve by using one way hash • Hash function takes variable length data as input • Produces a fixed length output file say 160 bits • Eg: md5sum • Essentially a HASH function ensures that if even one bit changes in a file, the output will be different.

  24. Using Hash function to create signature

  25. Key Management • Once you start encrypting and decrypting data, you will need to somehow manage your keys • Keys are just very large numbers • Concept of Keyring • Import public keys • When encrypting data, can choose key from ring • Can also store keys on key server

  26. Digital Certificates • Issue with public key cryptosystems is that users must constantly make sure that they are encrypting to the correct person’s key • Form of credential • Drivers license, social security card, birth certificate, passport • Used to thwart attempts to substitute one person’s key for another

  27. Digital Certificates • Digital certificate contains the following: • A public key • Certificate information • Name, user ID, etc • One or more digital signatures • Signed by CA • Essentially a digital certificate is a public key with one or more forms of id and a stamp of approval from some trusted individual or organization • Entrust • VeriSign • RSA • Simplifies the task of establishing whether a public key truly belongs to the purported owner • Used in SSL and VPN’s

  28. Security Product needs to do the following • Data security during transit • Data security in storage • Authentication • Data integrity • Non repudiation • Key management

  29. Using E-Biz Server • Generate and import keys • Key management • Encrypt Data • Decrypt Data • Digital signatures • X509 certificates

  30. Generate key • pgp --key-gen • Need to input type of key • DS/DHH RSA RSA Legacy • Size of key • 1024 2048 3092 • Name of key • rheckman@nai.com • Passphrase • The leafs are going to win the cup this year

  31. Manage keys • Import keys • --key-add filename_containing_key • Export keys • --key-export userid • Level of trust • --key-edit rheckman@nai.com --trust implicit • Default signing key • Change passphrase • --key-edit userid --change-passphrase • Key splitting • --key-split userid • KeyServer • --keyserver-fetch userid --keyserver <keyserver URL> • --keyserver-send userid --keyserver <keyserver URL>

  32. Encrypting file • --encrypt inputfile --user user --output outputfile • where: • inputfile input file name (data you are encrypting) • user key name or id • outputfile output file name (where encrypted data goes)

  33. Decrypt file • --decrypt cifrtext • In this case you will be prompted for user/keyid as well as passphrase • where • cifrtext encrypted file

  34. Signatures • pgp --sign filename --user rob1 --output outfile • This will sign a file • pgp --encrypt --sign filename --user rob1 • This will sign and encrypt a file

  35. Certificates • Add CA’s certificate to keyring • pgp --key-add file_containing_CA_certificate • Requesting certificate • pgp --cert-request keyid • Retrieving and adding certificate • pgp --cert-retrieve keyid

  36. Considerations for OS/390, z/OS • ASCII EBCEDIC • --text • --encrypt filename –text • Allows file to be decrypted on any platform • Takes care of line ends and ASCII/EBCEDIC issues • Need to send binary • --armor • --encrypt filename –armor • ASCII-armored format • Suitable for transport thru mail gateways • Send as ASCII, not binary • --text and –armor • --encrypt filename –text –armor • Probably most important set of options • Need to send as ASCII, not binary

  37. Config file options specifically forOS/390 and z/OS • TEMPFILENAMETEMPLATE • USEICSF • STORAGECLASS • MANAGEMENTCLASS • DATACLASS

  38. TEMPFILENAMETEMPLATE • Specifies the template for name temp datasets • Some shops have unique environments • ACS routines may prevent standard temp file name • HLQ and userid may not match EG: TEMPFILENAMETEMPLATE=‘P390X.ABC%%%%%.DEF%%%%%’

  39. SMS controls • STORAGECLASS • Specify which storage class to use for temp files • MANAGEMENTCLASS • Specify which management class to use for temp files • DATACLASS • Specify which data class to use for temp files • NUMBEROFVOLUMES • Specify how many volumes can be used for multivolume temp files

  40. USEICSF • Allows E-biz Server to exploit crypto hardware found on most IBM mainframes • USEICSF=ON default • Used for 2 reasons • Provide entropy for key generation • Avoid having to randomly press keys when providing entropy for key generation • Encrypt file with a 3des key • Depending upon data can substantially improve encryption time

  41. B2B example • Encrypt text file on OS/390 and send to Bank_of_Toronto (Win 2K platform) • Pgp –encrypt –sign filename –text –armor –outout output file • Prompted for user to encrypt to and passphrase of signing key • ftp Bank_of_Toronto • Ascii • Put filename myfilename • Decrypt text file on Win2k (Bank_of_Toronto) • pgp --decrypt myfilename • Prompted for passphrase

  42. References The Code Book: Evolution of Secrecy from Ancient Egypt to Quantum Cryptography ISBN 0385495323 The Codebreakers: The Story of Secret Writing ISBN 0-684-83130-9 Applied Cryptography: Protocols, Algorithms, and Source Code in C ISBN 0-471-12845-7

  43. Technical aspects of cryptography • www.iarc.org International Association of Cryptologic Research • www.pgpi.org International pgp website • www.nist.gov/aes National Institute of Standards and Technology

More Related