Big encryption on a small budget
Download
1 / 31

Big Encryption on a Small Budget - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

Big Encryption on a Small Budget. Beth E. Binde Harold W. Winshel. Agenda. Definition of encryption Need for encryption Drawbacks to encryption Criteria for product selection Encryption demonstration. What is encryption?. Coding a message to conceal meaning

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Big Encryption on a Small Budget ' - vivi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Big encryption on a small budget

Big Encryption on a Small Budget

Beth E. Binde

Harold W. Winshel


Agenda
Agenda

  • Definition of encryption

  • Need for encryption

  • Drawbacks to encryption

  • Criteria for product selection

  • Encryption demonstration


What is encryption
What is encryption?

  • Coding a message to conceal meaning

  • Reduces impact of eavesdropping

  • Helps protect Data At Rest


How it works digital substitution example
How it works: Digital Substitution Example

  • Apply the encryption key: 1010011 1010010 1001110

  • To the plain text message CAT: 1000011 1000001 1010100

  • XOR operation

    • 0 if the same

    • 1 if different

  • The elements of the key correspond to letters:

    • 1010011 = S

    • 1010010 = R

    • 1001110 = N


Result
Result

1000011 1000001 1010100

⊕ 1010011 1010010 1001110

====== ====== =======

0010000 0010011 0011010 ← Cipher text

  • These binary strings correspond to ASCII control characters. They aren’t even printable!

  • Results of string lookup:

    • Data Link Escape → 0010000

    • Device Control 3 → 0010011

    • Substitute → 0011010


Recover original message
Recover original message

  • Ciphertext: 0010000 0010011 0011010

  • Key: 1010011 1010010 1001110

  • Apply XOR operation

  • Original: 1000011 1000001 1010100


Caution
Caution!

  • Don’t trust a secret or proprietary algorithm or roll your own

    • Public scrutiny by multiple experts finds the flaws

    • Public scrutiny beneficial

  • Protect keys

    • Keys essential for decryption

    • Even knowing the algorithm is not sufficient

  • Don’t rely on any single technology or measure for security


Why encrypt
Why encrypt?

  • Protect confidential data

    • Non-public personal information (NPPI)

    • Intellectual property

  • Regulatory requirements


Data breach incidents
Data Breach Incidents

  • A Chronology of Breaches http://www.privacyrights.org/ar/ChronDataBreaches.htm

  • Educational Security Incidents http://www.adamdodge.com/esi




Big thefts of notebooks with sensitive data
Big Thefts of Notebooks with Sensitive Data.

  • 28,600,000 records of American military veterans discharged since 1975 (SSN’s, names, dates of birth, etc.) on a laptop computer stolen from a VA’s ee’s home on May 22, 2006.

  • 60,000 current and former employees of Starbucks on four Starbucks laptop computers that were lost. Contained employee’s names, addresses and SSN’s (Nov 3, 2006).

  • 48,000 records of American military veterans that might contain SSN’s on a portable hard drive stolen or missing, from VA Medical Center in Birmingham, AL (Feb 2, 2007).


Reportable incident
Reportable Incident?

“… notification is required if there is reasonable belief that data were acquired by an unauthorized individual.” (Steve Schuster / Tracy Mitrano, Cornell)

Is the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information? (Cal State Northridge).


If encryption s so great how come everyone doesn t use it
If Encryption’s So Great, How Come Everyone Doesn’t Use It?

  • Cost of purchase

  • Time

    • Product evaluation and testing

    • Installation and maintenance

    • Staff training

    • User education

  • Loss of data due to corruption of encrypted disks

  • Possible lock out due to forgotten passwords


Encryption vs data breach
Encryption vs. Data Breach It?

Pay now

… or pay later


Three states of data
Three states of data It?

Data at rest

Data in transit

Data in process


Terminology authentication factors
Terminology – Authentication Factors It?

  • The more factors the better

  • One-factor authentication

  • Two-factor authentication

  • Three-factor authentication


Our criteria for evaluating encryption products
Our Criteria for Evaluating Encryption Products It?

  • Purchase cost of the product

  • Size of current user base

  • Open source?

  • Availability of support


More criteria
More Criteria… It?

  • Ease of administration for IT staff

  • Ease of use for end users

  • What happens when things go wrong.

  • Ability to support two-factor authentication.


And more criteria
And more criteria… It?

  • Full disk encryption vs. file / folder encryption.

  • Keyserver vs. standalone products.

  • Support of portable media (flash drives, zip drives, CD’s, etc.)

  • Not linked to hardware of a specific manufacturer


Why we chose truecrypt
Why we chose Truecrypt It?

  • Large user base

  • Great support

  • Very well received / good reviews

  • Free


Why we chose truecrypt more
Why we chose Truecrypt…more… It?

  • File / folder

  • Supports two factor authentication.

  • Supports multiple operating systems.

  • Encrypts portable media.


Truecrypt details
Truecrypt Details. It?

  • Truecrypt volumes:

    • File-hosted volumes (aka Container volume)

    • Device hosted volumes (partition).

  • Truecrypt won’t encrypt existing files.

    • Encrypting an existing file will overwrite that file.

  • Password is entered once to decrypt a volume.

  • Truecrypt never saves decrypted data to a disk.

    • Decrypted data temporarily stored in ram.

    • Even when volume is mounted, data on disk still encrypted.

    • Password is entered once to decrypt a volume.

  • Travelor mode.

  • Date / time stamp of the file.


Steps in creating using a truecrypt encrypted area
Steps in Creating / Using a Truecrypt Encrypted Area: It?

  • Create a Truecrypt volume.

  • Mount a Truecrypt volume.

  • Copy files to / from a Truecrypt volume.

  • Dismount a Truecrypt volume.


Things we don t favor about truecrypt
Things We Don’t Favor About Truecrypt It?

  • File / folder

  • Interface a little clunky.

  • Windows recognition of the Truecrypt volume when it is not mounted.


Current truecrypt vulnerability
Current TrueCrypt Vulnerability It?

  • Escalation of privileges by local users

  • Applies to Linux implementation

  • Reported March 28, 2007

  • Must be running TrueCrypt as setuid root

  • Exploit available

  • More information here: http://www.securityfocus.com/bid/23180/info


Features of other encryption products we reviewed
Features of Other Encryption Products We Reviewed. It?

  • Which features were typical to many products

  • Which features were considered positive

  • Which features where considered negative


Some ot her encryption products we looked at
Some Ot It?her Encryption Products We Looked At.

  • Encryption utilities on flash drives.

  • Axcrypt

  • Cryptainer

  • SafeEnd

  • Windows EFS

  • Windows Vista Bitlocker

  • Pointsec

  • Safeboot

  • Authenix

  • PGP


Suggestions policies
Suggestions / Policies It?

  • Get senior administration support for policies to protect data

  • Don’t store sensitive data if you don’t have to

  • Use utilities to find files with sensitive data

  • Require encryption for sensitive data


Conclusion
Conclusion It?

  • What is encryption?

  • Why do you need it?

  • Encryption as part of an overall security posture

  • Sharing experiences to help you


Truecrypt available at
Truecrypt available at: It?

www.truecrypt.org


ad