1 / 30

Encryption Primer

Encryption Primer. PACMG Cathy Nolan 03/26/2008. Encryption Primer. Encryption Overview Why Encrypt Encrypting ‘Data at Rest’ Performance Considerations Summary. What is Encryption?. Cryptology is the science of encryption Cryptography Literally means hidden writing

Download Presentation

Encryption Primer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Encryption Primer PACMG Cathy Nolan 03/26/2008

  2. Encryption Primer • Encryption Overview • Why Encrypt • Encrypting ‘Data at Rest’ • Performance Considerations • Summary

  3. What is Encryption? • Cryptology is the science of encryption • Cryptography • Literally means hidden writing • Is the process of making and using codes to secure communication • Cryptanalysis • Is the process of obtaining the original message from an encrypted message without knowing the algorithms or keys used for encryption

  4. What is Encryption? • More on Cryptology • Encryption • The process of changing plaintext into ciphertext • Decryption • Is the process of changing ciphertext into plaintext

  5. What is Encryption? • History • 1900 B.C. – one of the earliest documented forms of written cryptography • Caesar Cipher • Used during prohibition era • Navajo Codetalkers • Used in every day life today • Ordering coffee at Starbucks • Daily cryptograms • Internet transactions • Email exchanges

  6. What is Encryption? • All kinds of uses SECRET = VHFUHW Caesar Cipher or Super Hero Code Ring Secure Web Site Cryptogram

  7. What’s So Hard About That? • Encryption is a subset of security • Our basic concept of security is to lock something with a key. • Security plans are are designed around • Authentication (Person or Equipment looking for data) • Confidentiality (can’t read it if you find it) • Integrity (not altered in transit) • Non-repudiation (logging who did what and when)

  8. What’s So Hard About That? • What kind of key • Asymmetric (Public) keys • Uses a combination of public and private keys • Doesn’t require a secure exchange for the public key • Can be very CPU intensive • Symmetric (Private) keys • Same key is used for encryption and decryption • Requires a secure exchange which is complicated and not always secure

  9. What’s So Hard About That? • Hashing Algorithms • Create a hash value also known as a message digest • Ensures data has not been altered in transit • Secure Hash Standard (SHS) • Issued by the National Institute of Standards and Technology (NIST) • Specifies Secure Hash Algorithm 1 (SHA-1) as a secure algorithm • Keys + Hash = Confidentiality + Integrity

  10. Public Key Encryption(AKA Asymmetric) John’s Public Key John’s Private Key Plaintext Ciphertext Plaintext Step 1: Cathy uses John’s public key to encrypt message Step 2: John uses his private key to decrypt message

  11. Private Key Encryption(AKA Symmetric) Key 00110011 Key 00110011 Plaintext Ciphertext Plaintext Step 1: Cathy uses a private key to encrypt message Step 2: John uses the same private key to decrypt message

  12. Ciphers • Plaintext can be encrypted through one of two methods • Block Ciphers • Message is divided into fixed blocks • Each block of plaintext bits is transformed into an encrypted block of cipherext bits • Use algorithm functions including exclusive OR (XOR), substitution or transposition • Stream Ciphers • Processes message bit by bit • Often use XOR algorithm

  13. Ciphers Key XOR Ciphertext Bit Bit Plaintext Simple Stream Cipher Block Block Ciphertext Substitution Plaintext Key Simple Block Cipher

  14. Encryption Algorithms • RSA • an asymmetric key algorithm that offers both encryption and digital signatures (authentication) created by mathematicians Ron Rivest, Adi Shamir and Len Adleman • DES/3DES • Data Encryption Standard • Developed by IBM • Is considered to be the best known and widely used symmetric algorithm in the world.

  15. Encryption Algorithms • AES • Has now emerged as the successor of DES/3DES • Is intended to be the block cipher standard for the next 15-25 years • Blowfish • Similar to DES, but uses a variable-length key • This strong encryption algorithm is unpatented and license-free • Available to the public at no cost.

  16. Encryption Algorithms • IDEA • Also known as International Data Encryption Algorithm (IDEA) • While IDEA is patented in several countries, it is available for non-commercial use • Was incorporated into Pretty Good Privacy (PGP) V2.0 • Skipjack • is an algorithm developed by the National Security Agency and declassified in June 1998

  17. Business Drivers • Consumer Identity Theft • Credit Card Fraud • Phone or Utilities Fraud • Bank Fraud • Employment-related Fraud • Government Documents / Benefits Fraud • Loan Fraud • Loss of Data • Consumer Identity Theft Consequences • Additional impacts to consumer and business • Legislation

  18. The Hardest Questions • What Data Needs to Be Encrypted • Data in Motion • Data at Rest • How do I determine what needs to be encrypted • How do I manage the keys

  19. Data In Motion Plain text Data-in-motion is encrypted as it leaves the source location and is decrypted as it arrives at its destination location Encrypted text WAN Encrypted text Plain text

  20. Data At Rest Disk Plain text SAN Encrypted text Plain text Data-at-Rest is concerned with protecting data as it sits at-rest in a database or on a device that is not transversing the network Tape

  21. What Data Should Be Encrypted? • Some Considerations • Has the organization’s data been classified • How much data is classified as public vs. non-public • Where is that data stored • Why type of data needs to be protected (e.g. database information, etc.) • Is the data duplicated or replicated to a remote site for DR or audit purposes • How is the data transported or replicated to the remote site

  22. Key Management • Where are my keys • How are the keys created • Who maintains the keys • Who has access to the keys • Vital for at-rest security • Losing the keys loses the data • Needs to allow for recovery of data for years

  23. Key Management

  24. Encryption Market Space • Encryption Market Space • Gaining in maturity, still evolving, not all standards have been set • Key management is a critical component • Mismanagement of keys could lead to the potential that data could not be restored • Major players have finally entered market • Minor players are for the most part small, venture capital firms

  25. Encryption Market Space • Encryption Market Space WINDOWS MF EFS • Decru/Netapp CipherMax PGP Unylogix Falcon Store Ingrian Vormetric RSA/EMC Veritas/Symantec NBU • O/S Encryption Options • Linux/UNIX Sun/STK IBM MegaCryption CA

  26. Encryption Options • Software solution • Application Based Encryption • Hybrid solution • Application Aware Encryption • Hardware solution • Inline Encryption Appliance • Tape Drive solution • O/S Level

  27. Encryption Options • Considerations • What data are you trying to protect • How much data are you trying to protect • Where is the data • Does the data have to move anywhere • What solution(s) can meet your needs without introducing complexity

  28. Performance Impacts • Application • Database impacts • CPU • Software encryption uses CPU cycles • Network • Do you need to move data over the network • Tape Drive • Compression

  29. Summary • Data needs to be protected • Encryption is one option • But encrypting data has its challenges • Consider short term and long term expectations for data protection • Research is an absolute necessity

  30. Questions ?

More Related