Data Security - PDF

Summary

This document provides an overview and information on data security. It discusses the differences between data security and compliance, and various types of data security strategies. The document also examines business challenges related to data security and compliance and describes security tools and protocols.

Full Transcript

1

DATA SECURITY
 2

CONTENTS

Why is data security important?
Difference between data security and compliance
Types of Data Security
Data Security strategies
Data Security Trends
How data Security and other facets interact
 3

WHY IS DATA SECURITY IMPORTANT?

Data security is the practice of protecting digital
information from unauthorized access, corruption
or theft throughout its entire lifecycle. It’s a concept
that encompasses every aspect of information
security from the physical security of hardware and
storage devices to administrative and access
controls, as well as the logical security of software
applications. It also includes organizational policies
and procedures.
DATA SECURITY AND COMPLIANCE
4

What’s the difference?

Data security is the application of deterrents or security
controls to protect data. The level of deterrents or security
is commensurate to how the individual or entity uniquely
“values” the data.

Compliance is applying a baseline of security controls
(people, process, technology) defined by a standard. The
baseline is applied to a specific type of data….typically
regulated; such as health information, financial, personally
identifiable information
DATA SECURITY AND COMPLIANCE 5

Does Compliance equal highest level of security?
No, it ensures a repeatable, stable baseline of security
that can be measured to meet a specific regulatory
requirement
Does highest level of security mean you are “secure”?
Maybe, depends on where you place your security.
Can you cover 100%...probably not.

Data Security and Compliance are key pieces to GW’s
information risk management…ensuring compliance and
placing highest security controls on assets that matter the
most
 COMPLIANCE LANDSCAPE 6

http://www.higheredcompliance.org/matrix/
 BUSINESS CHALLENGES 7

Digital transformation is profoundly altering every aspect of
how today’s businesses operate and compete. The sheer
volume of data that enterprises create, manipulate and store
continues to grow, driving a greater need for data governance.
In addition, computing environments are more complex than
they once were, routinely spanning the public cloud, the
enterprise data center and numerous edge devices ranging
from Internet of Things (IoT) sensors to robots and remote
servers. This complexity creates an expanded attack surface
that’s more challenging to monitor and secure.
FRAMEWORKS AND STRATEGIES…MORE 8

THAN TECHNOLOGY
NIST 800-53 ISO27001

National Cybersecurity Framework
 BUSINESS CHALLENGES 9

The need for data compliance is magnified by maximum fines
in the millions of dollars. Every enterprise has a strong
financial incentive to ensure it maintains compliance.
 BUSINESS CHALLENGES 10

Security and compliance are often characterized as two sides of the
same coin—you can’t have one without the other. As cloud-resident
data increases, it raises the ante for the organization to secure ever-
growing data and meet compliance requirements
BUSINESS CHALLENGES 11
 BUSINESS CHALLENGES 12

Effective compliance program
 BUSINESS CHALLENGES 13

Usage of enterprise data security technologies
 ADVANCED DATA SECURITY… 14

Part of a defense in depth strategy to apply higher levels
of security to high value information/assets

Penetration tests/Red team analysis
Application code reviews
System hardening
Logging
Intrusion detection
Staff with advanced training/credentials (forensics,
malware analysis)
 EXAMPLES OF DATA SECURITY ≠ 15

COMPLIANCE

40 million credit cards stolen, Target was PCI (Payment
Card Industry) compliant, attacked through HVAC vendor
 TYPE OF DATA SECURITY 16

ENCRYPTION – using DATA MASKING –
an algorithm to organizations can allow
transform normal text teams to develop
characters into application using real
unreadable format. data

DATA RESILIENCY –
determined by how well
DATA ERASURE – uses an organizations endures
or recovers from any type
software to of failures – from
completely overwrite hardware to power
data in any storage shortages and other
device. events that affects data
availability.
DATA SECURITY CAPABILTIES AND SOLUTIONS 17

Data discovery and
classification tools –
Data and files activity
sensitive information
monitoring – analyze
can reside in structures
data usage patterns,
and unstructured
enabling security teams
repositories including
to see who is access data,
databases, data
spot anomalies and
warehouse, big data
identify risks.
platforms and cloud
environment
Vulnerability
assessment and risk Automated
analysis tools – these compliance reporting
solutions ease the – comprehensive data
process of detecting protection solutions.
and mitigating
vulnerabilities
 DATA SECURITY STRATEGIES 18

Access
Physical security management and
of servers and controls – the Application security and
user devices – a principle of “least- patching – all software
should be updated to
cloud provider privilege access” the latest version
will assume should be followed
responsibility throughout your
entire IT
environment.

Employee Education – Network and endpoints
Backups – maintain training employees in security monitoring and
usable, thoroughly the importance of good controls – implementing
tested backup copies of security practices and a comprehensive suite
all critical data is a core password hygine - of threat management,
component of any “human firewall” detection, and response
robust data security tools and platforms…
strategies.
 19

COMMON DENOMINATORS
What are the common denominators?

Knowing what data you have
Knowing the value of the data
Knowing the risks to your data
Understanding likelihood and impact of these risks
Accepting a level of risk
 20

COMMON RISK FACTORS

Awareness of information in your care
Access to information…need to know principle
Dissemination of information…technology makes it easy
Lack of knowledge or training of staff…knowing your role,
how to identify and what to do in situations
Increased visibility of data loss…fines, reputational hit,
accreditation risks, grants
 21

BEST PRACTICES YOU CAN TAKE
Referencing back to the Common Denominators slide
Knowing what data you have
Knowing the value of the data
Knowing the risks to your data
Understanding the risk tolerance
Ensure you and your team are leveraging available resources
(tools, training, seminars)
Never hesitate to ask for assistance…better to be safe
 22

DATA SECURITY TRENDS

AI – this allows for rapid decision-
making in times of critical need.

Quantum – a revolutionary
technology,

Multicloud security – the
definition of data security
has expanded as cloud
capabilities grow,
HOW DATA SECURITY AND OTHER 23

SECURITY FACETS INTERACT
Achieving enterprise-grade data
security - the key to applying an
effective data security strategy is
Data security and BYOD - the use of
adopting a risk-based approach to
personal computers, tablets, and
protecting data across the entire
mobile devices in enterprise
enterprise
computing environments is on the
rise despite security leaders’ well-
founded concerns about the risks
that this practice can pose
Data security and the cloud -
securing cloud-based
infrastructures requires a different
approach than the traditional
model of situating defenses at the
network’s perimeter.
SECURITY
COMPLIANCE
MANAGER
A Tool for Managing Security Configurations and
Compliance
 WHAT IS SECURITY
COMPLIANCE MANAGER?

Security Compliance Manager (SCM) is a tool
developed by Microsoft to help organizations manage
security configurations and ensure compliance.
It includes pre-configured baselines for Windows OS
and other Microsoft products, allowing administrators to
assess, customize, and deploy security configurations.
 KEY FEATURES OF SECURITY
COMPLIANCE MANAGER

1. Pre-configured Baseline Templates
2. Customization of Baselines
3. Compliance Assessments
4. Security Configuration Deployment
5. Reporting and Documentation
 PRE-CONFIGURED
BASELINE TEMPLATES

- Includes templates for Windows OS, Office, and more.
- Baselines adhere to industry standards and best
practices.
- Administrators can use these templates as a starting
point for security configurations.
 CUSTOMIZATION OF
BASELINES

- Users can modify baselines to meet specific
requirements.
- Export options include GPO backups, DCM packs,
and SCCM formats.
- Customized baselines can be deployed across the
organization.
 COMPLIANCE
ASSESSMENTS

- SCM allows comparisons between existing
configurations and predefined baselines.
- Helps identify non-compliance and security gaps.
- Facilitates continuous monitoring and improvement.
 SECURITY CONFIGURATION
DEPLOYMENT

- Supports exporting baselines to Group Policy or SCCM.
- Simplifies deployment and management of security
settings.
- Ensures consistency across all systems and devices.
 REPORTING AND
DOCUMENTATION

- SCM provides detailed reports and documentation on
each setting.
- Useful for auditors and compliance officers.
- Enables organizations to maintain transparency in
security configurations.
 USE CASES FOR SECURITY
COMPLIANCE MANAGER

1. Ensuring Compliance with Regulations
2. Security Hardening of Systems
3. Configuration Management for Large-Scale
Environments
4. Security Auditing and Assessment
 DISCONTINUATION AND
MODERN ALTERNATIVES

- Microsoft has discontinued SCM; it is no longer
supported.
- Recommended alternative: Microsoft Security
Compliance Toolkit.
- The toolkit includes updated security baselines for
modern security and compliance needs.
SECURITY POLICY
Guidelines for Information Security and Risk Management
 INTRODUCTION TO
SECURITY POLICY

A Security Policy is a formal document that outlines an
organization’s rules and procedures for protecting its
data and information systems.
It ensures the confidentiality, integrity, and availability
of data, providing guidelines for secure operations and
compliance with regulations.
 PURPOSE AND SCOPE

- **Purpose**: To define guidelines for safeguarding
organizational assets and data.
- **Scope**: Covers employees, contractors, systems,
and data within the organization.
 KEY COMPONENTS OF A
SECURITY POLICY
1. Information Classification
2. Access Control
3. User Responsibilities
4. Data Protection
5. Incident Response and Reporting
6. Physical and Environmental Security
7. Network and System Security
8. Third-Party and Vendor Management
9. Training and Awareness
10. Compliance and Legal Requirements
 INFORMATION
CLASSIFICATION

- Categorizes data based on sensitivity and criticality.
- Defines levels of access and handling requirements
(e.g., Confidential, Internal, Public).
- Guides how data should be stored, transmitted, and
disposed of.
 ACCESS CONTROL

- Establishes procedures for granting and revoking
access.
- Includes guidelines for authentication and
authorization.
- Enforces least privilege principle and regular review of
permissions.
 INCIDENT RESPONSE AND
REPORTING

- Defines what constitutes a security incident and how
to report it.
- Outlines the organization’s incident response plan.
- Steps include containment, mitigation,
communication, and post-incident review.
 DATA PROTECTION

- Details encryption standards, data storage, and data
transmission requirements.
- Includes backup, retention, and secure disposal
practices.
- Ensures compliance with data protection regulations.
 COMPLIANCE AND
LEGAL REQUIREMENTS

- Specifies adherence to regulations (e.g., GDPR,
HIPAA, PCI-DSS).
- Includes procedures for audits and compliance
reviews.
- Ensures policies are up-to-date with changing laws
and standards.
 POLICY REVIEW AND
UPDATES

- Sets a schedule for periodic review and updating of
the policy.
- Assigns responsibility for maintaining the policy.
- Adapts to new security threats and changes in the
organization’s environment.
WINDOWS
SECURITY SETTINGS
Overview and Configuration of Key Security Settings in
Windows OS
 INTRODUCTION TO
WINDOWS SECURITY
SETTINGS
Windows Security Settings are configurations and
policies that control user access, system security, and
data protection.
These settings help prevent unauthorized access, data
breaches, and malware attacks by enforcing security
policies and restrictions.
 KEY WINDOWS SECURITY
SETTINGS
1. Account and User Rights Management
2. Local Security Policy
3. Windows Firewall and Network Protection
4. User Account Control (UAC)
5. BitLocker Drive Encryption
6. Windows Defender Antivirus
7. Group Policy Management
8. Credential Guard
9. Device Guard and Application Control
10. Security Baselines
 ACCOUNT AND USER
RIGHTS MANAGEMENT

- Account Policies: Password policy, account lockout
policy, and Kerberos settings.
- User Rights Assignment: Assigns privileges like "Log on
locally" and "Shut down the system".
- Secures user accounts to prevent unauthorized
access.
 LOCAL SECURITY POLICY

- Security Options: Controls system settings like UAC
behavior and network security.
- Audit Policy: Configures which events are logged in
the Event Viewer.
- Allows granular control of security settings on
individual systems.
 WINDOWS FIREWALL AND
NETWORK PROTECTION

- Manages inbound and outbound traffic to and from
the computer.
- Allows creating firewall rules and configuring IPsec
policies.
- Essential for protecting against network-based
attacks.
 USER ACCOUNT
CONTROL (UAC)

- Prompts for administrative approval when changes
affect system settings.
- Reduces the risk of malware gaining elevated
privileges.
- Configurable through Local Security Policy and Group
Policy.
 BITLOCKER DRIVE
ENCRYPTION

- Provides full-volume encryption for protecting data at
rest.
- Can be enforced through group policy.
- Ensures data is secure even if the device is lost or
stolen.
 GROUP POLICY
MANAGEMENT

- Use Group Policy Editor (GPE) for centralized
management of security settings.
- Configures user rights, security policies, and software
restrictions.
- Enables policy-based security management across
large environments.
 WINDOWS DEFENDER
ANTIVIRUS

- Built-in antivirus and anti-malware solution for
Windows.
- Provides real-time protection and regular updates.
- Configurable through Group Policy and PowerShell for
automated deployments.
 CREDENTIAL GUARD
AND DEVICE GUARD

- Credential Guard: Protects credentials from being
stolen through isolation.
- Device Guard: Uses hardware-based security to lock
down devices.
- Prevents attacks like Pass-the-Hash and unauthorized
application execution.
 BEST PRACTICES FOR
WINDOWS SECURITY
SETTINGS
1. Enforce Strong Password Policies
2. Enable Multi-factor Authentication (MFA)
3. Apply Security Baselines for Consistency
4. Regularly Update and Patch Systems
5. Use BitLocker and Credential Guard
6. Implement Firewall Rules for Network Security
7. Monitor System Logs and Audit Policies
Principles of Information Security
Sixth Edition

Data Encryption

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Learning Objectives

Upon completion of this material, you should be
able to:
– Chronicle the most significant events and
discoveries in the history of cryptology
– Explain the basic principles of cryptography
– Describe the operating principles of the most
popular cryptographic tools
– List and explain the major protocols used for secure
communications
 Introduction

Cryptology: the field of science that encompasses
cryptography and cryptanalysis.
Cryptanalysis: the process of obtaining the
plaintext message from a ciphertext message
without knowing the keys used to perform the
encryption.
Cryptography: the process of making and using
codes to secure information.
 Foundations of Cryptology

Cryptology has an extensive and multicultural
history.
All popular Web browsers use built-in encryption
features for secure e-commerce applications.
Restrictions on the export of cryptosystems began
after World War II.
 Terminology

Algorithm
Bit stream cipher
Block cipher
Cipher or cryptosystem
Ciphertext/Cryptogram
Code
Decipher
Decrypt
 Terminology

Encipher
Encrypt
Key/Crypto variable
Keyspace
Link encryption
Plaintext/Cleartext
Steganography
Work factor
 Cipher Methods

Plaintext can be encrypted through:
– Bit stream: each plaintext bit is transformed
into a cipher bit one bit at a time.
– Block cipher: message is divided into blocks
(e.g., sets of 8- or 16-bit blocks), and each is
transformed into encrypted block of cipher
bits using algorithm and key.
 Substitution Cipher

Substitutes or exchanges one value for another
Monoalphabetic substitution: only incorporates a
single alphabet in the encryption process
Polyalphabetic substitution: incorporates two or
more alphabets in the encryption process
Vigenère cipher: advanced type of substitution
cipher that uses a simple polyalphabetic code;
made up of 26 distinct cipher alphabets
The Vigenere square
 Transposition Cipher

Also known as a permutation cipher; involves
simply rearranging the values within a block based
on an established pattern.
Can be done at the bit level or at the byte
(character) level.
To make the encryption even stronger, the keys and
block sizes can be increased to 128 bits or more.
 Exclusive OR (XOR)

A function within Boolean algebra used as an
encryption function in which two bits are
compared.
– If the two bits are identical, the result is a binary 0.
– If the two bits are not identical, the result is a binary
1.
Very simple to implement and simple to break;
should not be used by itself when organization is
transmitting/storing sensitive data.
 Table 8-3 XOR Table

First bit Second bit result

0 0 0

0 1 1

1 0 1

1 1 0
Table 8-3 Example XOR Encryption

Text value Binary value

CAT as bits 010000110100000101010100

VVV as key 010101100101011001010110

Cipher 000101010001011100000010
 Vernam Cipher
A cryptographic technique developed at AT&T and
known as the “one-time pad.”
This cipher uses a set of characters for encryption
operations only one time and then discards it.
To perform:
– The pad values are added to numeric values that
represent the plaintext that needs to be encrypted
– Each character of the plaintext is turned into a number
and a pad value for that position is added
– The resulting sum for that character is then converted
back to a ciphertext letter for transmission
– If the sum of the two values exceeds 26, then 26 is
subtracted from the total
 Book-Based Ciphers
Uses text from a predetermined book as a key to
decrypt a message.
Book cipher: ciphertext consists of a list of codes
representing page, line, and word numbers of
plaintext word.
Running key cipher: uses a book for passing the
key to cipher similar to Vigenère cipher; sender
provides encrypted message with sequence of
numbers from predetermined book to be used as
an indicator block.
Template cipher: involves use of hidden message in
book, letter, or other message; requires page with
specific number of holes cut into it.
 Hash Functions

Mathematical algorithms that create a message
summary or digest to confirm message identity and
integrity
Convert variable-length messages into a single
fixed-length value
Message authentication code (MAC) may be
attached to a message
Used in password verification systems to store
passwords and confirm the identity of the user
 Figure 8-4 Various hash values

Source: SlavaSoft HashCalc.
 Cryptographic Algorithms

Often grouped into two broad categories,
symmetric and asymmetric.
Today’s popular cryptosystems use a combination
of both symmetric and asymmetric algorithms.
Symmetric and asymmetric algorithms are
distinguished by the types of keys used for
encryption and decryption operations.
 Symmetric Encryption

A cryptographic method in which the same
algorithm and “secret” are used both to encipher
and decipher the message; also known as private-
key encryption.
Can be programmed into fast computing algorithms
and executed quickly.
Both sender and receiver must possess the same
secret key.
If either copy of the key is compromised, an
intermediate can decrypt and read messages
without sender/receiver knowledge.
 Symmetric Encryption Encryption

Data Encryption Standard (DES): one of the most
popular symmetric encryption cryptosystems.
– 64-bit block size; 56-bit key
Triple DES (3DES): created to provide security far
beyond DES.
– Advanced Encryption Standard (AES): developed to
replace both DES and 3DES
▪ Adopted by NIST in November 2001 as the federal
standard for encrypting non-classified information
Figure 8-5 Example of symmetric
encryption

Rachel at ABC corp. generates a secret key. She must somehow get it to
Alex at XYZ corp. out of band. Once Alex has it, Rachel can use it to
encrypt messages, and Alex can use it to decrypt and read them.
 Asymmetric Encryption
A cryptographic method that incorporates
mathematical operations involving two different keys
(commonly known as the public key and the private key)
to encipher or decipher a message.
Either key can be used to encrypt a message, but then
the other key is required to decrypt it.
Also known as public-key encryption.
Uses two different but mathematically related keys
– Either key can encrypt or decrypt a message
– If Key A encrypts a message, only Key B can decrypt
– Greatest value when one key serves as a private key and
the other serves as a public key
RSA algorithm was the first public-key encryption
algorithm developed/published for commercial use.
Figure 8-6 Example of asymmetric
encryption

Alex at XYZ corp. wants to send a message to Rachel at ABC corp. Rachel
stores her public key where it can be accessed by anyone. Alex retrieves
Rachel’s key and uses it to create ciphertext that can be decrypted only
by Rachel’s private key, which only she has. To respond, Rachel gets
Alex’s public key to encrypt her message.
 Encryption Key Size

When deploying ciphers, the size of the
cryptovariable or key is very important.
The strength of many encryption applications and
cryptosystems is measured by key size.
For cryptosystems, the security of encrypted data
is not dependent on keeping the encrypting
algorithm secret.
Cryptosystem security depends on keeping some
or all of elements of cryptovariable(s) or key(s)
secret.
 Encryption key power
It is estimated that to crack an encryption key using a brute force attack, a
computer needs to perform a maximum of 2^k operations (2k guesses), where k is
the number of bits in the key. In reality, the average estimated time to crack is half
that time.
The estimated average time to crack is based on a 2015-era PC with an Intel i7-
6700k Quad core CPU performing 207.23 Dhrystone GIPS (billion instructions per
second) at 4.0 GHz**

Key Length Maximum Number of Estimated Average
Maximum Time to Crack
(Bits) Operations (Guesses) Time to Crack

16 65,536 0.0000003 seconds 0.00000016 seconds

24 16,777,216 0.00008 seconds 0.00004 seconds

32 4,294,967,296 0.02 seconds 0.01 seconds

56 7.E+16 4.02 days 2.01 days

64 2.E+19 42.93 years 21.47 years

19,005,227,625,557,100, 9,502,613,812,778,540,
128 3.E+38
000,000 years 000,000 years
 Table 8-5 Encryption key power
Maximum Number
Key
of Estimated Average
Length Maximum Time to Crack
Operations Time to Crack
(Bits)
(Guesses)

3,233,
6,467,143,840,295,770,
571,920,147,890,000,
000,000,000,000,000,
256 1.E+77 000,000,000,000,000,
000,000,000,000,000,
000,000,000,000,000,
000,000,000,000,000 years
000,000,000,000 years

748,844,096, 374,422,048,
666,088,000,000,000,000, 333,044,000,000,000,000,
000,000,000,000,000,000, 000,000,000,000,000,000,
000,000,000,000,000,000, 000,000,000,000,000,000,
512 1.E+154 000,000,000,000,000,000, 000,000,000,000,000,000,
000,000,000,000,000,000, 000,000,000,000,000,000,
000,000,000,000,000,000, 000,000,000,000,000,000,
000,000,000,000,000,000, 000,000,000,000,000,000,
000 years 000 years
 Table 8-5 Encryption key power (3 of 3)
**Note: The authors acknowledge that this benchmark is based on a very
specific application test and that the results are not generalizable. However,
these calculations are shown to illustrate the relative difference between key
length strength rather than to accurately depict time to crack. Even using the
much more conservative TechSpot 7-zip benchmark, which clocked this
CPU at 25,120
MIPS (or 25.12 GIPS), the estimated average time to crack would only be
approximately 8.25 times slower than the numbers shown, resulting in an
average time to crack of 16.6 days, as opposed to the 2.01 days shown
above for a 56-bit key length. Some new 2016-era CPUs are approximately
twice as fast as the version shown here on the 7-zip benchmarks, but they
do not include Dhrystone benchmarks (such as the Intel Core i7-6950X with
10 cores/20 threads).
Source: www.techspot.com/review/1187-intel-core-i7-6950x-broadwell-
e/page4.html.
 Cryptographic Tools

Potential areas of use include:
– Ability to conceal the contents of sensitive messages
– Verify the contents of messages and the identities of
their senders
Tools must embody cryptographic capabilities so
that they can be applied to the everyday world of
computing.
 Public-Key Infrastructure (PKI)

Integrated system of software, encryption
methodologies, protocols, legal agreements, and
third-party services enabling users to communicate
securely
PKI systems based on public-key cryptosystems
PKI protects information assets in several ways:
– Authentication
– Integrity
– Privacy
– Authorization
– Nonrepudiation
 Public-Key Infrastructure (PKI) (2 of 2)

Typical PKI solution protects the transmission and
reception of secure information by integrating:
– A certificate authority (CA)
– A registration authority (RA)
– Certificate directories
– Management protocols
– Policies and procedures
 Digital Signatures

Created in response to rising the need to verify
information transferred via electronic systems.
Asymmetric encryption processes used to create
digital signatures.
Nonrepudiation: the process that verifies the
message was sent by the sender and thus cannot
be refuted.
Digital Signature Standard (DSS) is the NIST
standard for digital signature algorithm usage by
federal information systems. DSS is based on a
variant of the ElGamal signature scheme.
 Digital Certificates

Electronic document/container file containing key
value and identifying information about entity that
controls key.
Digital signature attached to certificate’s container
file certifies file’s origin and integrity.
Different client-server applications use different
types of digital certificates to accomplish their
assigned functions.
Distinguished name (DN): uniquely identifies a
certificate entity.
Figure 8-7 Digital signature in Windows
Internet Explorer

Source: Windows Internet Explorer.
 Figure 8-8 Example digital certificate

Source: Amazon.com.
Table 8-6 X.509 v3 Certificate Structure

X.509 v3 Certificate Structure
Version
Certificate Serial Number
Algorithm ID
Algorithm ID
Parameters
Issuer Name
Validity
Not Before
Not After
Subject Name
Subject Public-Key Information
Public-Key Algorithm
Parameters
Subject Public Key
Issuer Unique Identifier (Optional)
 Subject Unique Identifier (Optional)

Extensions (Optional)
Type
Criticality
Value
Certificate Signature Algorithm

Certificate Signature

Source: Stallings, W. Cryptography and Network Security, Principles
and Practice.
 Hybrid Cryptography Systems

Except with digital certificates, pure asymmetric
key encryption is not widely used.
Asymmetric encryption is more often used with
symmetric key encryption, as part of a hybrid
system.
Diffie-Hellman Key Exchange method:
– Most common hybrid system
– Provides foundation for subsequent developments in
public-key encryption
Figure: Example of hybrid encryption

Rachel at ABC corp. stores her public key where it can be
accessed. Alex at XYZ corp. retrieves it and uses it to encrypt his
session (symmetric) key. He sends it to Rachel, who decrypts
Alex’s session key with her private key, and then uses Alex’s
session key for short-term private communications.
 Steganography

The process of hiding messages; for example,
hiding a message within the digital encoding of a
picture or graphic so that it is almost impossible to
detect that the hidden message even exists
Also known as the art of secret writing
Has been used for centuries
Most popular modern version hides information
within files that contain digital pictures or other
images
Some applications hide messages in.bmp,.wav,.mp3, and.au files, as well as in unused space on
CDs and DVDs
 Protocols for Secure Communications

Most of the software currently used to protect the
confidentiality of information are not true
cryptosystems.
They are applications to which cryptographic
protocols have been added.
Particularly true of Internet protocols.
As the number of threats to the Internet grew, so
did the need for additional security measures.
 Securing Internet Communication with S-
HTTP and SSL
Secure Sockets Layer (SSL) protocol: developed by
Netscape; uses public-key encryption to secure
channel over public Internet.
Secure Hypertext Transfer Protocol (S-HTTP):
extended version of Hypertext Transfer Protocol;
provides for encryption of individual messages
between client and server across Internet.
S-HTTP is the application of SSL over HTTP
– Allows encryption of information passing between
computers through protected and secure virtual
connection
Securing E-mail with S/MIME, PEM, and PGP

Secure Multipurpose Internet Mail Extensions
(S/MIME): builds on Multipurpose Internet Mail
Extensions (MIME) encoding format and uses
digital signatures based on public-key
cryptosystems.
Privacy Enhanced Mail (PEM): proposed as
standard to use 3DES symmetric key encryption
and RSA for key exchanges and digital signatures.
Pretty Good Privacy (PGP): uses IDEA Cipher for
message encoding.
Securing Web Transactions with SET, SSL,
and S-HTTP
Secure Electronic Transactions (SET): developed
by MasterCard and VISA in 1997 to protect against
electronic payment fraud.
Uses DES to encrypt credit card information
transfers.
Provides security for both Internet-based credit
card transactions and credit card swipe systems in
retail stores.
Securing Wireless Networks with WEP and
WPA
Wired Equivalent Privacy (WEP): early attempt to
provide security with the 8002.11 network protocol.
Wi-Fi Protected Access (WPA and WPA2): created
to resolve issues with WEP.
Next Generation Wireless Protocols: Robust Secure
Networks (RSN), AES–Counter Mode CBC MAC
Protocol (CCMP).
Bluetooth can be exploited by anyone within
approximately 30 foot range, unless suitable
security controls are implemented.
 Table: WEP Versus WPA

WEP WPA
Encryption Broken by scientists and Overcomes all WEP shortcomings
hackers
40-bit key 128-bit key
Static key- the same value is Dynamic keys-each user is assigned
used by everyone on the a key per session with additional
network keys calculated for each pocket
Manual key distribution- Automatic key distribution
each key is typed by hand
into each device
Authentication Broken; used WEP key itself Improved user authentication, using
for Authentication stronger 802. 1X and EAP

Source: www.wi-fi.org/files/wp_8_WPA%20Security_4-29-03.pdf.
 Securing TCP/IP with IPSec and PGP

Internet Protocol Security (IPSec): an open-source
protocol framework for security development
within the TCP/IP family of protocol standards.
IPSec uses several different cryptosystems
– Diffie-Hellman key exchange for deriving key material
between peers on a public network
– Public-key cryptography for signing the Diffie-
Hellman exchanges to guarantee identity
– Bulk encryption algorithms for encrypting the data
– Digital certificates signed by a certificate authority
to act as digital ID cards
 Securing TCP/IP with IPSec and PGP
(2 of 2)
Pretty Good Privacy (PGP): hybrid cryptosystem
designed in 1991 by Phil Zimmermann
– Combined best available cryptographic algorithms to
become open source de facto standard for
encryption and authentication of e-mail and file
storage applications
– Freeware and low-cost commercial PGP versions are
available for many platforms
– PGP security solution provides six services:
authentication by digital signatures, message
encryption, compression, e-mail compatibility,
segmentation, key management
Figure: IPSec headers
 Summary

Encryption is the process of converting a message
into a form that is unreadable to unauthorized
people.
The science of encryption, known as cryptology,
encompasses cryptography (making and using
encryption codes) and cryptanalysis (breaking
encryption codes).
Two basic processing methods are used to convert
plaintext data into encrypted data—bit stream and
block ciphering.
 Summary (2 of 5)

The other major methods used for scrambling data
include substitution ciphers, transposition ciphers,
the XOR function, the Vigenère cipher, and the
Vernam cipher.
The strength of many encryption applications and
cryptosystems is determined by key size.
Hash functions are mathematical algorithms that
generate a message summary, or digest, that can
be used to confirm the identity of a specific
message, and confirm that the message has not
been altered.
 Summary (3 of 5)

Most cryptographic algorithms can be grouped into
two broad categories: symmetric and asymmetric.
Most popular cryptosystems combine the two.
Public-key infrastructure (PKI) is an integrated
system of software, encryption methodologies,
protocols, legal agreements, and third-party
services. PKI includes digital certificates and
certificate authorities.
Digital signatures are encrypted messages that are
independently verified by a central facility, and
which provide nonrepudiation.
 Summary (4 of 5)

Steganography is the hiding of information. It is not
properly a form of cryptography, but is similar in
that it is used to protect confidential information
while in transit.
S-HTTP (Secure Hypertext Transfer Protocol),
Secure Electronic Transactions (SET), and SSL
(Secure Sockets Layer) are protocols designed to
enable secure communications across the Internet.
IPSec is the protocol used to secure
communications across any IP-based network,
such as LANs, WANs, and the Internet.
 Summary (5 of 5)

Secure Multipurpose Internet Mail Extensions
(S/MIME), Privacy Enhanced
Mail (PEM), and Pretty Good Privacy (PGP) are
protocols that are used to secure e-mail.
Wireless networks require their own cryptographic
protection. Originally protected with WEP and
WPA, most modern Wi-Fi networks are now
protected with WPA2.