Encryption. CWE-319: Cleartext Transmission of Sensitive Information

Similar documents
IT Networks & Security CERT Luncheon Series: Cryptography

Message Authentication Codes

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Savitribai Phule Pune University

Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin.

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Overview. SSL Cryptography Overview CHAPTER 1

Chapter 10. Network Security

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Content Teaching Academy at James Madison University

Secure Network Communications FIPS Non Proprietary Security Policy

Client Server Registration Protocol

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

OOo Digital Signatures. Malte Timmermann Technical Architect Sun Microsystems GmbH

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Chapter 17. Transport-Level Security

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

CS Computer Security Third topic: Crypto Support Sys

Secure Sockets Layer

Cryptography & Digital Signatures

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

An Introduction to Cryptography as Applied to the Smart Grid

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Secure File Transfer Appliance Security Policy Document Version 1.9. Accellion, Inc.

Guide to Data Field Encryption

EXAM questions for the course TTM Information Security May Part 1

Chapter 8. Network Security

Table of Contents. Bibliografische Informationen digitalisiert durch

CS 758: Cryptography / Network Security

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

A Standards-based Approach to IP Protection for HDLs

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

DRAFT Standard Statement Encryption

Network Security Protocols

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Computer System Management: Hosting Servers, Miscellaneous

Transport Level Security

CSE/EE 461 Lecture 23

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Cryptography and Network Security Chapter 12

Information Security

Angel Dichev RIG, SAP Labs

Analyzing the Security Schemes of Various Cloud Storage Services

Is your data safe out there? -A white Paper on Online Security

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Authentication in WLAN

SSL A discussion of the Secure Socket Layer

Security Sensor Network. Biswajit panja

Thick Client Application Security

How To Encrypt Data With Encryption

ERserver. iseries. Secure Sockets Layer (SSL)

Web Security: Encryption & Authentication

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Lukasz Pater CMMS Administrator and Developer

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

CSCI-E46: Applied Network Security. Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

NXP & Security Innovation Encryption for ARM MCUs

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Authentication requirement Authentication function MAC Hash function Security of

Cryptography Lecture 8. Digital signatures, hash functions

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

Network Security. Network Security. Security in Computer Networks

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Lecture 9: Application of Cryptography

Chapter 7 Transport-Level Security

Three attacks in SSL protocol and their solutions

Security Goals Services

Understanding digital certificates

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Chapter 10. Cloud Security Mechanisms

IBM i Version 7.3. Security Digital Certificate Manager IBM

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Lecture 6 - Cryptography

CRYPTOGRAPHY IN NETWORK SECURITY

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Cryptographic mechanisms

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Cryptography and Key Management Basics

Security Protocols/Standards

LogMeIn Rescue Architecture

SENSE Security overview 2014

[SMO-SFO-ICO-PE-046-GU-

WIRELESS LAN SECURITY FUNDAMENTALS

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

qwertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfgh jklzxcvbnmqwertyuiopasdfghjklzxcvb

Secure Data Transfer

Transcription:

Encryption Laurie Williams williams@csc.ncsu.edu John Slankas John_Slankas@ncsu.edu CWE-319: Cleartext Transmission of Sensitive Information Condition: Your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many different nodes in transit to its final destination. Consequence: Attackers can sniff this data right off the wire 1

CWE-327: Broken or Risky Cryptographic Algorithm Condition: The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Consequences: Well-known techniques may exist to break the algorithm. http://cwe.mitre.org/data/definitions/327.html CWE-256: Plaintext Storage of a Password Anyone who can get to config.properties can get password Anyone who can get to registry key can get password http://cwe.mitre.org/data/definitions/256.html 2

CWE-321: Use of Hard-coded Cryptographic Key The cryptographic key is within a hard-coded string value that is compared to the password and a true or false value is returned for verification that the password is equivalent to the hard-coded cryptographic key. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. http://cwe.mitre.org/data/definitions/256.html Encryption Encryption is the process of encoding a message/data so its meaning is not obvious Decryption is the reverse process, transforming an encrypted message/data back into its normal, original form Plaintext: original message/data Ciphertext: encrypted message/data Pfleeger and Pfleeger, Security in Computing, Pearson Education, 2003. 3

Encryption Algorithm: set of rules for encryption and decryption Key: key specifies the particular transformation of plaintext into ciphertext, or visa versa during decryption C = E(K,P) P = D(K,C) Symmetric Algorithms Same key to encrypt and decrypt data. Generally works fast Typical uses: secrecy and integrity of data, messages, files Examples: DEA (Data Encryption Algorithm) which is specified within the DES (Data Encryption Standard). Triple DES (Encrypt, Decrypt, Encrypt) 2 or 3 keys AES (Advanced Encryption Standard) US Standard Skipjack, Blowfish, IDEA http://www.spamlaws.com/encryption-algorithms.html http://www.networksorcery.com/enp/data/encryption.htm 4

Asymmetric Algorithms Public-key cryptography One key encrypts data, while the other key decrypts (can reverse the keys) Keys are typically referred to as public and private Generally much slower than symmetric algorithms Typical uses: Key exchange, authentication http://www.spamlaws.com/encryption-algorithms.html http://www.networksorcery.com/enp/data/encryption.htm Hash Algorithms Takes an arbitrarily long data and produces a fixed-size result Uses Message integrity Efficient digital signatures Password hashing Examples: MD5, SHA-1, SHA-256 Cryptography Engineering, Ferguson et al, Wiley, 2010 5

Why Use Encryption? Protect communication channels Protect stored data Exchange keys Digital signatures Choosing an Encryption Algorithm There is no right answer How long must the data be protected? How long must the encryption/decryption process take? Use standard algorithms Keys: Longer key: stronger encryption Longer key: more processing time Combine symmetric and asymmetric algorithms to get the best of both options http://technet.microsoft.com/en-us/library/ms345262.aspx 6

Using Encryption Wisely Use standard algorithms Educate yourself What are the strengths and weaknesses? Block cipher modes? ECB / CBC / OFB / CFB / CTR Weak keys? Semi-weak keys? Stay current DES MD5 Protect the keys Verify certificates Abstraction Encryption Attacks Ciphertext only Known plaintext/ciphertext pairs Man in the Middle Replaying message Side-channel attacks Timing how long something takes to occur Examining memory Don t assume you are safe. Be paranoid 7

Encryption in Applications Passwords Hash Don t forget the salt Digital signatures Protect confidential data Transfer users from one authenticated session to another URL / Data parameters Many more uses. SSL / TLS SSL (Secure Sockets Layer) Standard security protocol for communications over a network (ie, the Internet) Provides endpoint authentication (client optional) Encrypts all communication Uses both asymmetric and symetric algorithms For web applications with SSL, use SSL for the entire session (login to logout). Why? 8

At the Application Layer Use standard APIs Java Cryptographic Extension (JCE) Cryptographic Application Programming Interfaces (Windows) Mac OS X Security Services Database layer Encryption Functions - MySQL http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information