# Big Encryption on a Small Budget - PowerPoint PPT Presentation

1 / 31

Big Encryption on a Small Budget. Beth E. Binde Harold W. Winshel. Agenda. Definition of encryption Need for encryption Drawbacks to encryption Criteria for product selection Encryption demonstration. What is encryption?. Coding a message to conceal meaning

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Big Encryption on a Small Budget

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

## Big Encryption on a Small Budget

Beth E. Binde

Harold W. Winshel

### Agenda

• Definition of encryption

• Need for encryption

• Drawbacks to encryption

• Criteria for product selection

• Encryption demonstration

### What is encryption?

• Coding a message to conceal meaning

• Reduces impact of eavesdropping

• Helps protect Data At Rest

### How it works: Digital Substitution Example

• Apply the encryption key: 1010011 1010010 1001110

• To the plain text message CAT: 1000011 1000001 1010100

• XOR operation

• 0 if the same

• 1 if different

• The elements of the key correspond to letters:

• 1010011 = S

• 1010010 = R

• 1001110 = N

### Result

1000011 1000001 1010100

⊕ 1010011 1010010 1001110

====== ====== =======

0010000 0010011 0011010 ← Cipher text

• These binary strings correspond to ASCII control characters. They aren’t even printable!

• Results of string lookup:

• Data Link Escape → 0010000

• Device Control 3 → 0010011

• Substitute → 0011010

### Recover original message

• Ciphertext: 0010000 0010011 0011010

• Key: 1010011 1010010 1001110

• Apply XOR operation

• Original: 1000011 1000001 1010100

### Caution!

• Don’t trust a secret or proprietary algorithm or roll your own

• Public scrutiny by multiple experts finds the flaws

• Public scrutiny beneficial

• Protect keys

• Keys essential for decryption

• Even knowing the algorithm is not sufficient

• Don’t rely on any single technology or measure for security

### Why encrypt?

• Protect confidential data

• Non-public personal information (NPPI)

• Intellectual property

• Regulatory requirements

### Data Breach Incidents

• A Chronology of Breaches http://www.privacyrights.org/ar/ChronDataBreaches.htm

### Big Thefts of Notebooks with Sensitive Data.

• 28,600,000 records of American military veterans discharged since 1975 (SSN’s, names, dates of birth, etc.) on a laptop computer stolen from a VA’s ee’s home on May 22, 2006.

• 60,000 current and former employees of Starbucks on four Starbucks laptop computers that were lost. Contained employee’s names, addresses and SSN’s (Nov 3, 2006).

• 48,000 records of American military veterans that might contain SSN’s on a portable hard drive stolen or missing, from VA Medical Center in Birmingham, AL (Feb 2, 2007).

### Reportable Incident?

“… notification is required if there is reasonable belief that data were acquired by an unauthorized individual.” (Steve Schuster / Tracy Mitrano, Cornell)

Is the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information? (Cal State Northridge).

### If Encryption’s So Great, How Come Everyone Doesn’t Use It?

• Cost of purchase

• Time

• Product evaluation and testing

• Installation and maintenance

• Staff training

• User education

• Loss of data due to corruption of encrypted disks

• Possible lock out due to forgotten passwords

Pay now

… or pay later

Data at rest

Data in transit

Data in process

### Terminology – Authentication Factors

• The more factors the better

• One-factor authentication

• Two-factor authentication

• Three-factor authentication

### Our Criteria for Evaluating Encryption Products

• Purchase cost of the product

• Size of current user base

• Open source?

• Availability of support

### More Criteria…

• Ease of administration for IT staff

• Ease of use for end users

• What happens when things go wrong.

• Ability to support two-factor authentication.

### And more criteria…

• Full disk encryption vs. file / folder encryption.

• Keyserver vs. standalone products.

• Support of portable media (flash drives, zip drives, CD’s, etc.)

• Not linked to hardware of a specific manufacturer

### Why we chose Truecrypt

• Large user base

• Great support

• Very well received / good reviews

• Free

### Why we chose Truecrypt…more…

• File / folder

• Supports two factor authentication.

• Supports multiple operating systems.

• Encrypts portable media.

### Truecrypt Details.

• Truecrypt volumes:

• File-hosted volumes (aka Container volume)

• Device hosted volumes (partition).

• Truecrypt won’t encrypt existing files.

• Encrypting an existing file will overwrite that file.

• Password is entered once to decrypt a volume.

• Truecrypt never saves decrypted data to a disk.

• Decrypted data temporarily stored in ram.

• Even when volume is mounted, data on disk still encrypted.

• Password is entered once to decrypt a volume.

• Travelor mode.

• Date / time stamp of the file.

### Steps in Creating / Using a Truecrypt Encrypted Area:

• Create a Truecrypt volume.

• Mount a Truecrypt volume.

• Copy files to / from a Truecrypt volume.

• Dismount a Truecrypt volume.

### Things We Don’t Favor About Truecrypt

• File / folder

• Interface a little clunky.

• Windows recognition of the Truecrypt volume when it is not mounted.

### Current TrueCrypt Vulnerability

• Escalation of privileges by local users

• Applies to Linux implementation

• Reported March 28, 2007

• Must be running TrueCrypt as setuid root

• Exploit available

### Features of Other Encryption Products We Reviewed.

• Which features were typical to many products

• Which features were considered positive

• Which features where considered negative

### Some Other Encryption Products We Looked At.

• Encryption utilities on flash drives.

• Axcrypt

• Cryptainer

• SafeEnd

• Windows EFS

• Windows Vista Bitlocker

• Pointsec

• Safeboot

• Authenix

• PGP

### Suggestions / Policies

• Get senior administration support for policies to protect data

• Don’t store sensitive data if you don’t have to

• Use utilities to find files with sensitive data

• Require encryption for sensitive data

### Conclusion

• What is encryption?

• Why do you need it?

• Encryption as part of an overall security posture