Encryption and Key Management. Arshad Noor, CTO StrongAuth, Inc. Copyright StrongAuth, Inc Version 1.1

Similar documents
Enterprise Key Management Infrastructure: Understanding them before auditing them. Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC

Computer Security: Principles and Practice

Encryption. INST 346, Section 0201 April 3, 2018

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Overview. SSL Cryptography Overview CHAPTER 1

Ref:

Automating data-protection across the enterprise

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

HARDWARE SECURITY MODULES (HSMs)

1.264 Lecture 28. Cryptography: Asymmetric keys

Kurose & Ross, Chapters (5 th ed.)

FIPS Non-Proprietary Security Policy

PKI Credentialing Handbook

Encryption I. An Introduction

PASSWORDS & ENCRYPTION

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cryptography MIS

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Cryptographic Concepts

Cryptography and the Common Criteria (ISO/IEC 15408) by Kirill Sinitski

A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4

APNIC elearning: Cryptography Basics

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Computer Security 3/23/18

Lecture 2 Applied Cryptography (Part 2)

Hewlett-Packard Development Company, L.P. NonStop Volume Level Encryption (NSVLE) Product No: T0867 SW Version: 2.0

Dyadic Security Enterprise Key Management

Introduction to Modern Symmetric-Key Ciphers

CSE 127: Computer Security Cryptography. Kirill Levchenko

Lecture 6 - Cryptography

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Juniper Network Connect Cryptographic Module Version 2.0 Security Policy Document Version 1.0. Juniper Networks, Inc.

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 19: cryptographic algorithms

Security. Communication security. System Security

Cryptography (Overview)

Digital signatures: How it s done in PDF

Symmetric Key Services Markup Language Use Cases

Lecture 15: Cryptographic algorithms

Who s Protecting Your Keys? August 2018

CSC 774 Network Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Cipher Suite Configuration Mode Commands

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Trojan-tolerant Hardware & Supply Chain Security in Practice

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

18-642: Cryptography 11/15/ Philip Koopman

Cryptography Functions

Satisfying CC Cryptography Requirements through CAVP/CMVP Certifications. International Crypto Module Conference May 19, 2017

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Trusted Platform Module explained

CS Computer Networks 1: Authentication

Utimaco HSM Introduction JIPDEC Seminar June 2017

An Enterprise Guide to Understanding Key Management

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

(2½ hours) Total Marks: 75

The Network Security Model. What can an adversary do? Who might Bob and Alice be? Computer Networks 12/2/2009. CSC 257/457 - Fall

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Digital Certificates Demystified

Adding value to your MS customers

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

CCNA Security 1.1 Instructional Resource

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Oracle Tuxedo. Using Security in CORBA Applications 11g Release 1 ( ) March 2010

Hardware Cryptography and z/tpf

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

SafeNet LUNA EFT FIPS LEVEL 3 SECURITY POLICY

Security in NVMe Enterprise SSDs

Symmetric, Asymmetric, and One Way Technologies

David Wetherall, with some slides from Radia Perlman s security lectures.

The evolving storage encryption market

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Chapter 8 Information Technology

Cryptography. some history. modern secret key cryptography. public key cryptography. cryptography in practice

ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

UNIT - IV Cryptographic Hash Function 31.1

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Chapter 5 Authentication and Basic Cryptography

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Refresher: Applied Cryptography

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Network Security. Chapter 8. MYcsvtu Notes.

CSC/ECE 774 Advanced Network Security

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

NIST Cryptographic Toolkit

Cuttingedge crypto graphy

CoSign Hardware version 7.0 Firmware version 5.2

Transcription:

Encryption and Key Management Arshad Noor, CTO StrongAuth, Inc 1

I. Introduction 2

Who is StrongAuth? Cupertino CA-based private company Founded in 2001 Focused on Architecture, Design, Development & Support of: Enterprise Key Management Public Key Infrastructure (PKI) Symmetric Key Management System (SKMS) Customers in many sectors Finance, Pharmaceutical, Medical Devices, e-commerce, Entertainment, Retail, BPO Services, Manufacturing 3

Why bother listening to me? 30+ years of work-experience 6 years on the Business side 24+ in Information Technology 10+ in Cryptographic Key Management Designer, lead-developer of StrongKey the industry's first, open-source, Symmetric Key Management System (2006) Designer, lead-developer of the StrongKey Lite Encryption System the industry's lowest cost encryption & KM appliance (2010) 4

II. Some Definitions 5

Encryption A reversible cryptographic operation that transforms meaningful plaintext to illegible ciphertext Tokenization A reversible operation that substitutes meaningful plaintext to meaningless plaintext Hashing An irreversible cryptographic operation that transforms meaningful plaintext to an illegible message-digest (hash) Key Management The life-cycle operations associated with the secure creation, use, management, distribution and destruction of cryptographic keys 6

Symmetric Encryption The process of transforming plaintext to ciphertext, and vice-versa, using the same encryption/decryption key You must be the change you want to see in the world. M.K. Gandhi Encryption eaf0f527e6b4cfe52e8 + + Decryption 50333904b5042a5c0e88a9b 74211b67ee3aabb91874440 5799b30d611010824e6c0fd 81faa34e245 7

Symmetric Encryption Shared key for encryption and decryption Faster Unlimited size for plaintext Typically used to encrypt bulk data Data Encryption Standard (DES) 56-bit Triple-Data Encryption Standard (3DES) 112 and 168-bit Advanced Encryption System (AES) 128, 192 and 256-bit 8

Asymmetric Encryption The process of transforming plaintext to ciphertext, and vice-versa, using two different keys You must be the change you want to see in the world. M.K. Gandhi Encryption xu5wdjau08gs eaf6b4cfe52e8 + + Decryption 50333904b5042a5c0e88a9b 74211b67ee3aabb91874440 5799b30d611010824e6c0fd 81faa34e245ksydx98dddkyl 9

Asymmetric Encryption Different keys for encryption & decryption Slower Limited size for plaintext Less than the size of the key Used to encrypt symmetric keys & hashes Rivest-Shamir-Adelman (RSA) 512 to 8192-bits 2048-bits recommended for 2010 deployments 10

Message Digest (Hash) The object created by the process of transforming data to a fixed-size cryptographic value using a one-way transformation process You must be the change you want to see in the world. M.K. Gandhi Hashing 50333904b5042a5c0e88a9b 11

Message Digest (Hash) No key is involved just an algorithm Unlimited size data Typically used to verify the integrity of a file Message Digest 5 (MD5) Broken!! 128-bit fixed size Secure Hashing Algorithm (SHA) SHA1: 160-bit (Avoid, if possible) SHA-256, SHA-384 and SHA-512 12

Tokenization The process of substituting a like-value for plaintext without the use of cryptography 1234 5678 9012 3456 9999 0000 0000 5678 123-45-6789 800-00-0123 123456789 98765432 100000000 00001234 13

III. Cryptography Pitfalls 14

Cryptography pitfalls-1 Storing symmetric key in a file, registry-entry, database record somewhere on the system Encrypting symmetric key with public key, but storing private key in a file Using Password-Based-Encryption (PBE), but storing the password in a file Compiling symmetric key into the program Encrypting symmetric key with another symmetric key Backing up the key with the ciphertext 15

Cryptography pitfalls-2 Using a single key to encrypt all data Not verifying the integrity of decrypted data Not thinking through key-rotation issues Single rotation per year Rotating DEK-ciphertext - not data-ciphertext Not thinking through split-key knowledge issues Not planning for rapid changes in cryptography Encrypting at the wrong layer of the stack 16

Real-world analogy Precious cargo Is protected all the time! 17

Real-world analogy 18

Cryptography pitfalls-3 Encrypting at the wrong layer of the stack SKLES Application Network Web Server Vulnerable Application Server JDBC/ODBC Database Others Operating System Hard Disk Drive 19

The right way SKLES Application Network Web Server Application Server Irrelevant JDBC/ODBC Database Operating System Hard Disk Drive 20

IV. Solution 21

So, what do you do? Reduce the exposure of sensitive data Abstract cryptography out of the application Use a cryptographic hardware module as a back-stop Use specialized solutions rather than homebrewed encryption Follow NIST guidelines for algorithms, key-sizes 22

Reduce the exposure - 1 System-1 Sensitive Data System-2 Sensitive Data System-3 Sensitive Data System-4 Sensitive Data System-5 Sensitive Data 23

Reduce the exposure -2 System-1 Sensitive Data System-2 Sensitive Data System-3 Sensitive Data System-4 Sensitive Data System-5 Sensitive Data 24

Reduce the exposure - 3 System-1 Sensitive Data System-4 Sensitive Data System-2 Sensitive Data SKLES System-3 Sensitive Data System-5 Sensitive Data 25

Abstract cryptography out C/C++ Application 1 Application Server LDAP Server 2 3 Java Application 1 Network 7 6 4 5 PHP/Ruby Application 1 Crypto-Module Internal DB Applications Encryption and Key Management 26

Use cryptographic hardware TPM HSM Trusted Platform Module CC EAL4+ certified RSA 2048-bit keys that never leave the TPM Embedded on computer motherboards Hardware Security Module FIPS 140-2 certified RSA and Suite-B algorithms Erases on-board cryptographic material when stolen 27

Use specialized solutions 28

NIST Guidelines Triple-DES (112- or 168-bits) symmetric keys AES (128-, 192- or 256-bits) symmetric keys RSA (2048-bits or greater) asymmetric keys SHA-256, SHA-384 or SHA-512 for messagedigests FIPS 140-2 certified cryptographic hardware modules Common Criteria EAL certified cryptographic hardware modules 29

Summary Cryptography has always been complex, but is getting increasingly so: Attackers are knowledgable and using crypto Crypto-hardware is becoming ubiquitous Growing number of crypto forums and standards State laws are referencing PCI-DSS or crypto directly Massachusetts, Minnesota, Nevada, Washington Education and a long-term strategy is key to preventing crypto-chaos 30

Thank You Questions? Contact Information: Arshad Noor arshad.noor@strongauth.com (408) 331-2001 Direct (408) 515-8557 Mobile www.strongauth.com 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback