Encryption is used to scramble data so that it can only be read by authorized parties. There are different encryption methods like private key encryption which uses one key, and public key encryption which uses two keys. Encryption is applied to data storage and network transmissions using protocols like SSL, SSH, IPSec and protocols like PPTP that enable VPNs. Proper implementation of encryption requires understanding threats and balancing security needs with costs.
Encryption is used to scramble data so that it can only be read by authorized parties. There are different encryption methods like private key encryption which uses one key, and public key encryption which uses two keys. Encryption is applied to data storage and network transmissions using protocols like SSL, SSH, IPSec and protocols like PPTP that enable VPNs. Proper implementation of encryption requires understanding threats and balancing security needs with costs.
Encryption is used to scramble data so that it can only be read by authorized parties. There are different encryption methods like private key encryption which uses one key, and public key encryption which uses two keys. Encryption is applied to data storage and network transmissions using protocols like SSL, SSH, IPSec and protocols like PPTP that enable VPNs. Proper implementation of encryption requires understanding threats and balancing security needs with costs.
Encryption is used to scramble data so that it can only be read by authorized parties. There are different encryption methods like private key encryption which uses one key, and public key encryption which uses two keys. Encryption is applied to data storage and network transmissions using protocols like SSL, SSH, IPSec and protocols like PPTP that enable VPNs. Proper implementation of encryption requires understanding threats and balancing security needs with costs.
Security Lecture 3 What is Encryption? • Encryption is the process of taking some information or data, manipulating or changing its format in a way that stops it from being used or read by unauthorized people or systems. • Encryption involves scrambling data so that it needs to be unscrambled, or decrypted, to be read. • Encryption can be applied to data in storage (file systems, media, etc) or in transit via network or Internet connections. Encryption Methods • Information encrypted needs to be decrypted by authorised systems or people for it to be of any use. To decrypt, the receiver may need some additional information. • For example you are given a coded message on a piece of paper. To read it you need to know how it was coded. It may use a simple method of substituting numbers for letters but to decipher the message you need to know what letter equates to what number. This is the 'key' that will unlock the code. The encryption process requires the following:
• Original information – This is the data or information prior to being
encrypted (may be referred to as plain or clear text) • An algorithm – a mathematical formula or process that accepts the input of original information and key data to produce an output or coded information (called cipher text) • Key data – data used by an encryption algorithm to encrypt or decrypt information • Cipher text – this is the encrypted original information produced by the encryption algorithm and key data. The algorithm may work in both directions meaning that information can be encrypted and decrypted with the correct keys. Ciphering • Ciphering is the process of how data or the original information is converted into cipher text. • The process uses algorithms and encryption processes, but more specifically this refers to how the raw data is managed. • There are generally two cipher methods. • Stream cipher • Block cipher Stream cipher • is a relatively simple method where each bit of data in the original information is sequentially encrypted using one bit of the key. • If the key is of a fixed length it may be possible to mathematically deduce the key by analysing the cipher text. • Using a variable length key or continually changing the key in the stream cipher process can theoretically produce an unbreakable encryption system. • One-Time pad is the process of continually varying the encryption key with random numbers. This method is not commonly used because of overheads and encrypting efficiency. Block cipher • encrypts the original information into chunks. Depending upon the encryption system, the size of these chunks or blocks will be fixed. • Each block is processed by an algorithm and key to produce blocks of cipher text. • These cipher text blocks can be further used with encryption keys to strengthen the encryption. • Block cipher processes more data than stream cipher on each pass and is more commonly used today. Private Key Encryption • Private key encryption is also known as symmetric encryption or single key encryption. • This encryption method requires the use of one key to both encrypt and decrypt information. • All people and systems accessing the cipher text must use the same key to decipher that was used to encrypt the data. Public Key Encryption • Public key encryption, also known as asymmetrical encryption, uses two keys known as a key pair. • One key is a private key and it is kept secret, only known to one person or system. • A second key, known as the public key, is generated (mathematically derived) from the private key. • The public key is not kept secret and is freely distributed to people or systems that wish to use encryption. Authentication - Digital Signatures • The public key is not secret and freely available so anyone could have encrypted the original data or information. • The originator can authenticate their data by using their private key. • This is done by using the originator's private key to encrypt information about the original data (usually checksum information). • This encrypted information is kept with or appended to the original data. This is known as a digital signature. • The purpose of digital signatures is to certify information, not conceal it. Digital Certificates • If the recipient of the message wishes to verify the digital signature they must use the sender's public key. • Digital Certificates provide a means of identifying and managing public keys. A digital certificate is a password protected and encrypted file that contains information about an individual's identity and their public key. • A certificate server stores digital certificates and is used as a central location for users requiring public keys. Public Key Infrastructure (PKI) • Public Key Infrastructure provides a means for users of an insecure network to exchange data securely and privately. • It is a complete infrastructure using public key encryption to provide the end to end security, confidentiality and accountability required for information exchange. A public key infrastructure consists of:
• A certificate authority (CA) that issues and verifies digital certificates. A
certificate includes the public key or information about the public key. • A registration authority (RA), a network authority that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it. • Locations where the certificates (with their public keys) are held. • A certificate management system. Kerberos • Kerberos is an authentication protocol that uses secret-key encryption to verify client identity and exchange information securely. • When a user attempts to logon to a server or system, a local agent sends an authentication request to the Kerberos server. • The server responds by sending encrypted credentials for the user back to the requesting server or system. • These credentials are then decrypted using the user-supplied password. • If this is successful, the user is issued Kerberos authentication tickets and a set of cipher keys to encrypt data sessions. Internet Protocol Security (IPSec) • This protocol defines encryption, authentication and key management for TCP/IP transmissions. It secures data in transmission by various means at the IP packets level. The key components of IPSec are: • Authentication Header (AH) This component authenticates and validates data packets. Each packet basically contains a digital signature • Encapsulation Security Payload (ESP) This component encrypts the data payload of the packet. • Internet Key Exchange (IKE) The above components AH and ESP use asymmetric encryption. IKE manages the public/private key exchanges for encryption and decryption. IPSec can operate in two modes:
• 'Transport' mode encrypts communications between two hosts.
• 'Tunnel' mode places an encrypted IP packet into a traditional IP packet to ‘tunnel through' to a destination. This is used to support VPN transmissions. Point-to-Point Tunnelling Protocol (PPTP) • The original Point-to-Point Protocol (PPP) is an encapsulation protocol for transporting IP traffic over point-to-point connections. • The Point-to-point Tunnelling Protocol (PPTP) is an expansion of the existing Point-to-Point Protocol (PPP). • PPTP uses the same principle of encapsulating other protocol packets so that they can be transported via a switched network (the Internet) to a specific destination. Virtual Private Network (VPN) • Virtual Private Networks are basically a secure connection through a network (Internet, WAN, etc) that connects either computers or networks together. • These connections make remote users appear that they are on one single network. • The main functions provided by VPNs are tunneling, data security, data integrity and authentication Secure Sockets Layer (SSL) • This is a method of encrypting TCP/IP transmissions between hosts. • It is used for the encrypt web pages and data on web forms reroute. The encryption method uses public key encryption. • It requires Digital Certificates Secure Shell (SSH) • This provides a secure means of establishing remote connections to a host. • It provides authentication via the exchange of digital certificates and uses public key encryption. • It is mainly used in Unix/Linux environment and is a means of using insecure protocols (telnet, ftp, etc) in a secure fashion. Pretty Good Privacy (PGP) • This is one of the most popular encryption programs. • This is a public key encryption system that provides authentication and encryption. • It is commonly used for email transmissions and supports a wide range of operating systems. Secure Data Storage • Encryption may be used to protect the confidentiality, integrity and authenticity of data in storage, such as that on a hard disk drive or tape. • Most operating systems and storage systems have inbuilt encryption facilities. • Implementing these may be more efficient but does place a reliance on the operating system. Threats to Encryption Systems • Deficiencies in human and business processes or procedures • Deficiencies in the cipher algorithm or process • Brute force attacks against the key Implementing Encryption Solutions • In all cases, any implementation of encryption solutions will be governed by the security requirements for an organisation or process.
• The benefits of encryption need to be weighed against the real
threats to data security, implementation requirements and costs.