Title: Modern Data Security in Five Acts
1Modern Data Securityin Five Acts
- Act IV Beyond the Secret Decoder Ring
2WELCOME!
3National Cyber Security Awareness Events
- Act I Modern Data Handling
- Act II Security on the Go
- Act III Modern Teleworking Solutions
- Act IV Beyond the Secret Decoder Ring
- Act V Security Trick or Treat
- http//www.purdue.edu/securepurdue/training/awaren
essMonth.cfm
4The World We Live In
- Significant incidents recently reported to
HackerWatch.org - 24 Hours 78,541,667
- 7 Days 547,791,661
- 30 Days 2,356,379,550
5The World We Live In
6The World We Live In
- As of 10/24/2006, TOTAL number of records
containing sensitive personal information
involved in security breaches 94,091,429 - Purdue University listed 3 times
7Encryption 101
- Beyond the Secret Decoder Ring
- Sam Wagstaff
- Computer Sciences and CERIAS
8What is a secret decoder ring?
Popular 1930s to 1990s Little Orphan Annie radio
show The image shown is from 1936 Also in
breakfast cereal boxes
9Another secret decoder ring
- Captain Midnight and the Space Cadets, radio and
television - Also in breakfast cereal boxes
- Most were badges, none was
- a ring
10- Plaintext or clear text you can understand it
- Ciphertextlooks like gibberish, but is
equivalent to plaintext - Encipher or encrypt convert plaintext to
ciphertext using a key - Decipher or decrypt convert ciphertext to
plaintext using a key - The key for the secret decoder is the position of
the alphabet circles. - The inner circle is the alphabet for plaintext.
- The outer circle is the alphabet for ciphertext.
- Example plaintext D R I N K
- ciphertext G U L Q N
11A secret decoder does clock arithmetic, in
fact, arithmetic modulo 26.
Encipher by adding 3 to a plaintext letters
value T 3 W, H 3 K, E 3 H, so THE
becomes WKH. Decipher by subtracting 3 from a
ciphertext letters value. This cipher is also
called a Caesar cipher
12To breaka cipher means to either find the key
or convert ciphertext to plaintext without
knowing the key.
- A Caesar cipher is easy to break because there
are only 26 possible keys, and one can try all of
them. - A secret decoder is adequate for secrets of
Junior Space Cadets, but not for secrets of
adults. - Ciphers are used for secret communication or for
protecting secret files. - Cryptography is the study of ciphers.
- Cryptanalysis studies how to break ciphers.
13- A slightly better cipher than a Caesar cipher is
a cryptogram. - This is a simple substitution cipher in which the
mapping from plaintext alphabet to ciphertext
alphabet is an arbitrary permutation of the
letters of the alphabet. - The number of possible keys is 26!
403291461126605635584000000,which is more keys
than one could try in the lifetime of the
universe.
14- Nevertheless, cryptograms appear as amusements
each day in the Exponent and Journal Courier.
Many readers solve them every day. - Break it by guessing words from their letter
patterns, or by using the relative frequency of
individual letters. E is most frequent, T is
second, etc.
15- Here is an example of a cryptogram
- MVAG SGVSXG UTWG T
- WGEGGL OUTO KVAGM VII
- GTMHXF PHOU T XHOOXG
- TXKVUVX. --- S. UTLLHMVE
16- O E PEOPLE E
- MVAG SGVSXG UTWG T
- E EE O E O
- WGEGGL OUTO KVAGM VII
- E L L L E
- GTMHXF PHOU T XHOOXG
- L O OL P. O
- TXKVUVX. ---S. UTLLHMVE
17Types of Attacks on Ciphers
- Ciphertext only Given only the ciphertext find
the key and/or the plaintext. - Known-plaintext attack Given the ciphertext and
corresponding plaintext, find the key. - Chosen-plaintext attack Cryptanalyst may choose
some plaintext and learn the corresponding
ciphertext. Goal find key.
18Types of Ciphers
- One key Private key Symmetric key
- All mean that the same key is used to encipher
and decipher. (Or else you can easily compute
either key from the other.) - Has direct authentication
- Uses bit manipulation
- Very fast At disk transfer rates
- Examples DES, AES
19Common Symmetric Ciphers
- DES has a 56-bit key. One can try all possible
keys in Differential cryptanalysis might help break it,
too. - DES is used for short-term secrets, like
satellite TV codes or press releases.
20Common Symmetric Ciphers
- AES has a choice of 128, 192 or 256-bit keys. It
takes too long to try all possible keys, and
there is no known better attack.AES is used for
serious secrets. - Also called Rijndael.
21Types of Ciphers
- Two key Public key Asymmetric key
- Enciphering key is public
- Deciphering key is private (secret)
- You must solve a hard problem to find the other
key, give one of the two keys. - Has no direct authentication, but one can sign
- Uses number theory and large integer arithmetic
- Much slower than one-key ciphers
- Examples RSA, ElGamal, Rabin-Williams
22- Suppose Alice wants to email a long secret letter
to Bob, but they havent agreed on a secret key
for AES. - Alice uses a random AES key to encipher the
letter and sends the ciphertext to Bob. - Alice enciphers the random key using Bobs public
RSA key and sends it to him. - Bob deciphers the second message with his secret
RSA key and gets the AES key which he uses to
decipher the letter. - Zimmermanns PGP does all this and more.
23- Public key cryptography enjoys nice properties
useful in complicated protocols, such as contract
signing, electronic elections, oblivious
transfer, digital cash and simultaneous exchange
of secrets. - Traditional PKC uses exponentiation modulo a very
large integer n, of 1024 bits or about 300
decimal digits. - Fast exponentiation makes these operations
feasible, but still quite slow.
24- Traditional PKC operates in the multiplicative
group of integers modulo n. - It assumes that one of these number theory
problems is hard - 1.Factoring integers Given n, find p and q with
n pq. - 2.Discrete logarithm Given n, a and b, find e so
that a raised to the e power is congruent to b
modulo n. - The best known methods can solve either problem
for n up to 200 decimal digits.
25Elliptic curves
- They provide many examples
- of mathematical groups for
- which the discrete logarithm problem is as hard
using 128 bit numbers, or 40 decimal digits, as
it is modulo n when n has 1024 bits, or 300
decimal digits. - This gives equal security faster, but still not
as fast as symmetric ciphers. - Elliptic curves have other nice properties, too,
that facilitate certain protocols.
26Key Management
- Modern encryption will secure your files and
messages. - There is little danger anyone will find your key
by brute force. - A greater danger is key loss.
- Where do you store your key?
- What if you lose your key?
27Politics
- Strong cryptography cannot be exported.
- In law it is a munition, like a nuclear bomb.
- However, you may import cryptography.
- It is widely available on foreign web sites.
- Cryptography is restricted in several countries.
28Presenters
- Addam Schroll
- David Seidl
29Orlbaq gur Frperg Qrpbqre Evat
30Beyond the Secret Decoder Ring
31Time to use your decoder rings!
32The Home Crypto Checklist
- SSL
- Secure e-mail
- Encrypted password utility
- File encryption
- Volume encryption
- Encrypted IM
- Secret decoder rings
33SSL Keeping the web secure
- SSL or Secure Sockets Layer
- Used to protect data sessions with websites.
- Reasonably secure, but can operate at different
levels. - Always look for SSL when you submit data you do
not want to be public!
34Look for the lock
35Internet Explorer 7
36Internet Explorer 7
37Check the certificate Sanity Check!
38Do you trust me?
39Everyday places to check for SSL
- Online banking
- Bill payment sites
- Webmail (many webmail sites do not default to
HTTPS - but they do support it!) - Health/medical websites
- Any site that you want to submit data to securely.
40Encrypted e-mail
- Two popular e-mail encryption solutions
- S/MIME
- OpenPGP
- Protects messages from interception or
modification - Verifies identity of the message sender
- Requires significant setup time or learning
41S/MIME Not a security mime
42 S/MIME vs. OpenPGP
- Supported by most e-mail clients
- Requires a central authority
- X.509 Certificates
- Hierarchical Trust Model
- Requires additional software
- Each user is an authority
- Public/Private Key Pairs
- Web of Trust Model
43(No Transcript)
44PGP encoder?
45(No Transcript)
46Where to get certificates
- Issued by a central authority
- Organization
- Third-party certificate vendor
- Purdue currently does not have a system-wide
certificate authority - Thawte Personal Certificates
47Encrypted E-mail Tips
- Follow the Purdue Data Handling Guidelines
- Use encrypted email as a means of transport, not
storage - File your sensitive information elsewhere
- Backup your keys and certificates!
48Encrypted E-mail Tips (2)
- Revoke certificates or keys if compromised
- Trusting a key should only be done after suitable
verification with the owner
49Keeping your passwords safe
- Problems with passwords and passphrases
- - Too many passwords
- - Too many sites and different usernames
- - Too many different security requirements
50Password utilities
- Password Safe
- http//passwordsafe.sourceforge.net/
- Keychain (Mac)
- KeePass
- http//keepass.sourceforge.net/
51Rules for using a password utility
- Use a very good password for your safe
- Keep multiple, up to date copies of your safe
- Make sure you have the safes timeout enabled
- Dont keep work and personal passwords in the
same safe.
52Password Safe
53Password Safe Entries
54A few extra tricks
- Use your password safes note capability to store
alternate answers to security questions. Where
you were born is not a good secret, but where you
were born with a made up answer is. - Use the safes storage capability to store the
URL if you tend to forget it that way, you
wont hit a fake site by accident!
55File, Volume, and Drive encryption for the home
user
- Two minute vocabulary
- File one or more files
- Volume a partition on a drive
- Drive formatting the entire drive
- AES (aka Rijndael) an encryption standard
approved by the US government. Replaces DES. - DES an encryption standard approved by the US
governement. Look for 3DES, as DES alone is weak.
56Volume and Drive encryption
- Pros
- Keeps files safe
- Provides privacy from other users of the same
system - Cons
- Forget the password and your data is gone
- Slower reads and writes due to encryption
- Requires technical knowledge to use
57(No Transcript)
58I cant use Truecrypt, what now?
- Alternatives exist for most platforms.
- You can use file encryption rather than volume
encryption - PGP is available for almost any
system. - Remember to look for a program that uses
standards based encryption. - The encryption you use is far more effective than
encryption you dont use!
59Rules of encrypted files
- Keep a safe, up to date copy
- Remember your passphrase!
- Dont leave it unlocked
- If it is open and mounted, and your machine is
hacked, the hacker will have access - Encryption is only as good as its testing. Use
peer reviewed standards.
60Encrypted IM
- Many third party IM applications support
encryption in one form or another. - Some encrypt only the message, not the senders
identity. - Presenters tend to use GAIM OTR (Off The
Record) messaging. - For those at work, data handling guidelines still
apply no matter what medium you work in, and you
should review your departments policy.
61Encryption at home
- Passwords
- Data
- Spreadsheets
- Home inventory
- Archived e-mail
- Other documents
- Instant messaging
- E-mail encryption works the same at home!
62References
- Purdue Data Handling Guidelines
- www.itap.purdue.edu/security/procedures/dataHandli
ng.cfm - OpenPGP
- www.openpgp.org
- S/MIME Tutorial
- www.marknoble.com/tutorial/smime/smime.aspx
- Thawte Personal Certificates
- www.thawte.com/secure-email/personal-email-certifi
cates/index.html
63References
- TrueCrypt
- http//www.truecrypt.org/
- Off The Record Messaging
- http//www.cypherpunks.ca/otr/
- Password Safe
- http//passwordsafe.sourceforge.net/
- KeePass
- http//keepass.sourceforge.net/
64Short Videos
- C\October Security Events\Phishing for Kenny Act
IV.wmv - C\October Security Events\Back your data Act
IV.wmv
65National Cyber Security Awareness Events