Application Cryptography - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Application Cryptography

Description:

Chair, X9F4 working group. President & Founder, Information Assurance Consortium ... 3500 B.C. Sumerian standard cuneiform first written language ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 16
Provided by: jeffsta3
Category:

less

Transcript and Presenter's Notes

Title: Application Cryptography


1
Application Cryptography
  • Jeff Stapleton
  • CTO, Innove
  • jeff.stapleton_at_innove.com
  • Chair, X9F4 working group
  • President Founder, Information Assurance
    Consortium
  • jeff.stapleton_at_infoassurance.org

2
Agenda
  • Brief history of cryptography
  • Review of the OSI stack
  • Application Cryptography
  • IT risks and the use of cryptography
  • Business risks
  • IT security risks
  • Case studies
  • Audit and Assessment
  • Summary

3
History of Cryptography
  • 3500 B.C. Sumerian standard cuneiform first
    written language
  • 3000 B.C. Egyptian standard hieroglyphics
  • 1900 B.C. Egyptian non-standard hieroglyphic
    substitution cipher
  • 500 B.C. Hebrew ATBASH substitution cipher
  • 400 B.C. Greek scytale considered
    transposition cipher
  • 50 B.C. Julius Caesar substitution cipher
  • 1587 A.D. Medieval Vigenère polyalphabetic
    substitution cipher
  • 1790 A.D. Thomas Jefferson wheel (US Army in WW
    I)
  • 1845 A.D. Morse Code
  • 1918 A.D. German Enigma Machine (WW II)
  • 1937 A.D. Navaho Code Talkers (WW II)
  • 1949 A.D. Shannon modern One Time Pad (OTP)
  • 1968 A.D. Data Encryption Standard (IBM)
  • 1976 A.D. Diffie-Hellman public key agreement
  • 1977 A.D. RSA public key cryptography
  • 1985 A.D. Elliptic Curve Cryptography (ECC)
  • 2001 A.D. Advanced Encryption Standard
    (Rijndael)

3,908 Years of Technology
4
OSI Reference Model
  • ISO Open Systems Interconnection (OSI)

(7) Application Layer
Application Layer (7)
S/MIME
(6) Presentation Layer
Presentation Layer (6)
DKIM
(5) Session Layer
Session Layer (5)
TLS (SSL)
(4) Transport Layer
Transport Layer (4)
(3) Network Layer
Network Layer (3)
IPsec
(2) Link Layer
Link Layer (2)
Link Encryptor
(1) Physical Layer
Physical Layer (1)
5
Basic IT Risks
No Cryptography Protection Methods
1011001011101011
Wireless
  • Vulnerabilities
  • Network
  • Wireless
  • Memory
  • Bus
  • Emissions
  • Storage
  • Media

Programs Data
Programs Data
Programs Data
1011001011101011
32G USB
Memory
Storage
Networks
6
Key Management Risk
Cryptography Protection Methods
1011001011101011
Wireless
  • Vulnerabilities
  • Network
  • Wireless
  • Memory
  • Bus
  • Emissions
  • Storage
  • Media
  • Keys

Cryptographic Keys
Cryptography
Programs Data
Cryptography
1011001011101011
32G USB
Memory
Storage
Networks
7
Managed Risk
Tramper Resistant Security Module (TRSM)
1011001011101011
Wireless
  • Vulnerabilities
  • Network
  • Wireless
  • Memory
  • Bus
  • Emissions
  • Storage
  • Media
  • Keys

Cryptographic Keys
Cryptography
Programs Data
Cryptography
1011001011101011
32G USB
Networks
Memory
Storage
TRSM
8
Business Risks
  • Receiving non-authenticated data
  • Data origination issue
  • Sending non-authenticated data
  • Phishing attacks
  • Processing non-verified data
  • Data integrity issue
  • Exposing sensitive data
  • Unauthorized access to information
  • Storing non-verifiable data
  • Unable to link integrity to a reliable clock
  • Relying on non-verifiable software
  • Change control applet issues
  • Relying on non-verifiable logs
  • Unable to synchronize logs due to unreliable clock
  • All of these Risks
  • can be addressed
  • via
  • Application
  • Cryptography
  • Encryption
  • Key Management
  • Digital Signatures
  • PKI
  • Trusted Time Stamp

9
IT Security Issues
  • IT Reliance is a major Business Risk
  • Defense in depth IT Layer(s) Process Layer

Critical need for Application Cryptography
(8) Process Layer
(7) Application Layer
S/MIME authentication, confidentiality
integrity between email users
(6) Presentation Layer
DKIM authentication integrity between two
email servers (spam killer)
(5) Session Layer
(4) Transport Layer
TLS authentication, confidentiality integrity
between end points
(3) Network Layer
IPsec authentication, confidentiality
integrity between end points
(2) Link Layer
Link Encryptors confidentiality between two end
points
(1) Physical Layer
Note IT key management is often a killer issue
10
Case Study PIN
  • Financial Institution issues card PIN to
    cardholder
  • Cardholder inserts card and enters PIN at ATM
  • ATM encrypts PIN
  • ATM transmits data encrypted PIN to Acquirer
  • Acquirer translates PIN to network key
  • Acquirer transmits data encrypted PIN to
    Network
  • Network translates PIN to Issuer key
  • Network transmits data encrypted PIN to Issuer
  • OK transmitted back to ATM for cash dispersal

PIN
PIN
PIN
PIN
PIN
OK
OK
OK
Cardholder
ATM
Acquirer FI
Issuer FI
11
Case Study Biometrics
  • Financial Institution issues card to cardholder
    enrolls Cardholder
  • Financial institution submits biometric to
    Verifier
  • Cardholder inserts card and enters biometric at
    ATM
  • ATM protects biometric
  • ATM transmits data protected biometric to
    Acquirer
  • Acquirer protects biometric
  • Acquirer transmits data protected biometric to
    Verifier
  • Verifier validates biometric transmits data to
    Issuer
  • OK transmitted back to ATM for cash dispersal

Match
OK
OK
OK
Verifier
Cardholder
ATM
Acquirer FI
Issuer FI
12
Case Study Healthcare
  • Pharmacies established joint Data Mining
    company to process prescriptions information for
    resale to pharmaceutical companies
  • Consumer X at pharmacies A, C and D and Y at
    pharmacy F
  • Ability to match up prescription purchases for
    X and guarantee anonymity regardless of payment
    method
  • Pharmacies use a common keyed hash to obfuscate
    PII
  • Data Miner matches up keyed hash
  • One key component held by Data Miner, another
    held by Law Firm ability to change hash key
    periodically

A
D
Person X Prescription 1
Person X Prescription 2
Data Mining
B
E
Pharmacy
Pharmacy
Consumer
Consumer
C
F
Person X Prescription 1
Person Y Prescription N
13
Standards and Compliance
  • American National Standards Institute (ANSI)
  • US standards body representative to ISO
  • Technical Committee 68 Financial Services
  • Accredited Standards Committee X9
  • ANSI accredited for the Financial Industry
  • US Technical Advisory Group (TAG) to ISO TC68
  • X9 American National Standards (short list)
  • PIN
  • Key Management
  • PKI
  • Biometrics
  • Trusted Time Stamps
  • Wireless (work in progress)

14
Audit and Assessments
  • X9 standards approach
  • Requirements
  • Technology specification to meet Requirements
  • Control Objectives to validate compliance with
    Requirements
  • Evaluation Criteria to verify compliance with
    Control Objectives
  • Audit language vetted by AICPA
  • TG-3 PIN Compliance (mandated by Pulse, Star,
    NYCE)
  • ANS X9.79 PKI Webtrust for CA (mandated by
    Microsoft)
  • Similar approach
  • ANS X9.84 Biometrics
  • ANS X9.95 Trusted Time Stamps
  • Revised X9.49 Remote Access Mutual
    Authentication
  • Draft X9.111 Penetration Testing
  • Draft X9.112 Wireless Security

15
Summary
  • Cryptography
  • Mature (4th millennium) technology
  • Constantly improving
  • Information Technology (IT)
  • Reviewed IT risks
  • Reviewed IT security issues
  • Business Issues
  • Reviewed Business risks
  • Application cryptography case studies
  • Conclusion
  • No one hardware or software product can satisfy
    all business needs, why should we expect one
    cryptography solution?
  • Application cryptography solutions must meet
    business needs
Write a Comment
User Comments (0)
About PowerShow.com