How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Transcription

1

2 How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and non-repudiation. How to obtain a digital certificate. Installing that digital certificate in the client. Using and sharing digital signatures. Configuration considerations.

3 But first some background on . How many s do you think are sent worldwide, each day? Or how many just within North America on a daily basis?

4

5

6

7

8 Encryption Hash Digital Signature

9 Only authorized individuals, processes, or systems have access to information on a needto-know basis. This level of access, also known as the principle of least privilege, is at the level necessary for the individual to do their job. Confidentiality ensures that the necessary level of security is enforced at each instance of data processing; while the data is at rest and while the data is in transit.

10 Encryption is the process of encoding messages or information in such a way that only parties who have the decryption process can read it. Plain text: Welcome to Security. My name is J. Kenneth Magee. Cipher text: NOTjPp2lXl09mcdcIKMjAqwH8zVK9nyxc/TZRRb +xkj+e49aculcexohv+/0ynj4+lvzghe8yx+1n VWw63ywVQ==

11

12 Since everything gets converted to binary. Plain text: Welcome to Security. Binary:

13 First, Symmetric Algorithm = one Secret Key S=S=S=S=S (Symmetric, Secret, Shared, every Single, Session) Second, Asymmetric Algorithm = two keys (Public & Private)

14 Requires the key to be Shared and provides confidentiality only. But it s faster than asymmetric. On the order of 1000 times or more, faster. Good for bulk data encryption.

15 Does not require the sharing of the private key. Provides confidentiality, authenticity, nonrepudiation. But it s slower than symmetric. On the order of 1000 times or more, slower than symmetric. Good for small pieces of data (like secret keys)

16 This principle implies that data should be protected from intentional, unauthorized, and/or accidental changes. Controls are put in place to ensure that information is only modified through approved and accepted practices. Hardware, software, and communication mechanisms should work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration.

17 It is a one-way function which doesn t require keys or prior relationship establishment with the other party. Irreversible, can t be reverse engineered. Provides integrity functionality Variable length data is input to the hash algorithm and a fixed value is output.

18 Current hash algorithms. MD5 = 128 bit (subject to collisions) SHA-1 = 160 bit (subject to theoretical collision attack with 2 61 calls) not approved for cryptographic functions after 2010 SHA-2 = 256 bit or 512 bit with truncated versions of SHA-224 and SHA-384 (No collisions found during testing) SHA-3 (Keccak) April 2014 NIST Draft standard

19 This principle implies that the sender s identify can be trusted and that the sender cannot deny having sent the message. Controls are put in place to ensure that senders are uniquely identifiable. Hardware, software, and communication mechanisms should work in concert to minimize the amount of effort required to validate a person s identity.

20 Digital signatures use the hash function and asymmetric encryption to provide integrity and authenticity. Hash function Fingerprint or Message Digest

21 The message digest is encrypted with the sender s private key. This is Digital Signing. Fingerprint or Message Digest Encryption function The and the encrypted message digest are sent to the receiver.

22 The receiver strips off the message digest, sits it aside and calculates a new message digest. The receiver uses the sender s public key to decrypt the sent message digest and compares it to the one just calculated. It they match then the message is said to be authentic and have integrity.

23 Match = yes authentic & integrity

24 You will need to generate a public/private key pair. You will need to select a Certificate Authority with which to register your public key. You will need to learn how to use them.

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58 The digital signature process is to encrypt the message digest/hash of the message with the sender s private key. And the receiver decrypts the message digest/hast of the message with the sender s public key, calculates their own message digest and compares the two. If they match we will the following when we mouse over the Digital Signature icon.

59

60 Digital Signatures provides authenticity, integrity, and non-repudiation. Encryption provides confidentiality.