information security management n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
INFORMATION SECURITY MANAGEMENT PowerPoint Presentation
Download Presentation
INFORMATION SECURITY MANAGEMENT

play fullscreen
1 / 26

INFORMATION SECURITY MANAGEMENT

214 Views Download Presentation
Download Presentation

INFORMATION SECURITY MANAGEMENT

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Protection Mechanisms - Cryptography

  2. Cryptography • Encryption • Cryptology

  3. Cryptography (cont’d.) Cryptosystem Encipher Decipher • Algorithm • Key • Keyspace

  4. Common Ciphers Plaintext: 0010… Key: 1 > 3, 2 > 4, 3 > 2, 4 > 1, … Example: FROM -> MOFR Most commonly used algorithms include three functions: • Substitution • Transposition

  5. Common Ciphers • XOR • ‘0’ XOR’ed with ‘0’ results in a ‘0’. (0  0 = 0) • ‘0’ XOR’ed with ‘1’ results in a ‘1’. (0  1 = 1) • ‘1’ XOR’ed with ‘0’ results in a ‘1’. (1  0 = 1) • ‘1’ XOR’ed with ‘1’ results in a ‘0’. (1  1 = 0) • If the two values are the same, you get “0”; if not, you get “1” • Process is reversible; if you XOR the ciphertext with the key stream, you get the plaintext

  6. Common Ciphers • Book or running key cipher • Uses text in a book as the algorithm to decrypt a message • The key relies on two components: • Knowing which book to use • A list of codes representing the page number, line number, and word number of the plaintext word

  7. Symmetric Encryption • Known as private key encryption • Same key used to encrypt/decrypt the message

  8. Symmetric Encryption Cryptosystem • Data Encryption Standard (DES) • Based on the Data Encryption Algorithm which uses a 64-bit block size and a 56-bit key • Cracked in 1997 • Triple DES (3DES) improved version • Advanced Encryption Standard (AES) • Based on the Rinjndael Block Cipher • Variable block length and a key length of either 128, 192, or 256 bits

  9. Asymmetric encryption Uses two different, but related keys • Either key used to encrypt/decrypt message • However, if Key A is used to encrypt the message, then only Key B can decrypt it; conversely, if Key B is used to encrypt a message, then only Key A can decrypt it Most valuable when one of the keys is private and the other is public

  10. Asymmetric encryption Figure 10-12 Public key encryption Source: Course Technology/Cengage Learning

  11. Digital Signatures • Asymmetric process is reversed • The fact that the message was sent by the organization that owns the private key cannot be refuted • This nonrepudiation is the foundation of digital signatures • Based on: • Digital certificate • A certificate authority (CA)

  12. Public key infrastructure (PKI) • The entire set of hardware, software, and cryptosystems necessary to implement public key encryption • PKI systems are based on public key cryptosystems and include digital certificates and certificate authorities

  13. Encryption Operations (cont’d.) • PKI provides the following services • Authentication • Integrity • Confidentiality • Authorization • Nonrepudiation

  14. Hybrid Systems • Asymmetric encryption is typically employed in conjunction with symmetric key encryption, creating a hybrid system • Diffie-Hellman key exchange method • asymmetric encryption is used to exchange symmetric keys so that two organizations can conduct quick, efficient, secure communications based on symmetric encryption • Diffie-Hellman provided the foundation for subsequent developments in public key encryption

  15. Encryption Operations (cont’d.) Figure 10-14 Hybrid encryption Source: Course Technology/Cengage Learning

  16. Using Cryptographic Controls • Modern cryptosystems can generate unbreakable ciphertext • Cryptographic controls used for: • e-mail and its attachments • e-commerce transactions • remote access through VPN connections

  17. Email Cryptographic Controls • Secure Multipurpose Internet Mail Extensions (S/MIME) • Privacy Enhanced Mail (PEM)

  18. Email Cryptographic Controls • Pretty Good Privacy (PGP) • Uses the IDEA Cipher • A 128-bit symmetric key block encryption algorithm with 64-bit blocks for message encoding • Like PEM, it uses RSA for symmetric key exchange and to support digital signatures

  19. Securing the Web • IP Security (IPSec) • The primary and dominant cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group • Combines several different cryptosystems: • Diffie-Hellman key exchange • Public key cryptography • Bulk encryption algorithms • Digital certificates

  20. Securing the Web • IPSec works in two modes of operation: • Transport • Only the IP data is encrypted, not the IP headers themselves • Allows intermediate nodes to read the source and destination addresses • Tunnel • The entire IP packet is encrypted and inserted as the payload in another IP packet • Often used to support a virtual private network

  21. Securing the Web • Secure Electronic Transactions (SET) • Encrypts credit card transfers with DES for encryption and RSA for key exchange • Secure Sockets Layer (SSL) • Uses RSA for key transfer • On IDEA, DES, or 3DES for encrypted symmetric key-based data transfer • HTTPS www.amazon.com

  22. Securing the Web - SSL

  23. Securing the Web • Secure Shell (SSH) • Provides security for remote access connections over public networks by using tunneling, authentication services between a client and a server • Used to secure replacement tools for terminal emulation, remote management, and file transfer applications

  24. Hacking Cryptography Known plaintext attack Ciphertext-only attack Replay attack

  25. Managing Cryptographic Controls • Don’t lose your keys • Know who you are communicating with • It may be illegal to use a specific encryption technique when communicating to some nations • Every cryptosystem has weaknesses • Give access only to those with a business need • When placing trust into a certificate authority, ask “Who watches the watchers?”

  26. Managing Cryptographic Controls (cont’d.) • There is no security in obscurity • Security protocols and the cryptosystems they use are installed and configured by humans • They are only as good as their installers • Make sure that your organization’s use of cryptography is based on well-constructed policy and supported with sound management procedures