Upload
julianna-moore
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
COMP3371COMP3371Cyber SecurityCyber Security
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
October 2015October 2015
Week 3: Encryption and Week 3: Encryption and Technical ControlsTechnical Controls
Objectives:Objectives:Explain why, how, and to what Explain why, how, and to what
standard an organisation can set up standard an organisation can set up controls/ISMScontrols/ISMS
Compare security of most common Compare security of most common types of data transmissiontypes of data transmission
Explain encryption and decryptionExplain encryption and decryptionContrast between symmetric keys Contrast between symmetric keys
and asymmetric keysand asymmetric keys
Developing an Information Developing an Information Security Management Security Management
SystemSystem Each organisation is different! No Each organisation is different! No
template ISMS possibletemplate ISMS possible
ISO27001 standard lists over 100 ISO27001 standard lists over 100 possible controlspossible controlshow many are actually needed? how many are actually needed?
» depends on an organisation’s processesdepends on an organisation’s processes
for each control not usedfor each control not used» non-use needs to be justified…non-use needs to be justified…
An ISMS that is “fit for An ISMS that is “fit for purpose”purpose”
Analysis needs to acknowledge all aspects Analysis needs to acknowledge all aspects of how data is managedof how data is managed requires an understanding of processes and requires an understanding of processes and
associated dataassociated data
Risk assessment required to determine Risk assessment required to determine where controls are neededwhere controls are needed ISO27001 assumes all controls neededISO27001 assumes all controls needed no point spending money on controls where no point spending money on controls where
they are not needed but exemptions need they are not needed but exemptions need justifying…justifying…
A Security Controls approach A Security Controls approach light on ISMS: PCI DSSlight on ISMS: PCI DSS
System devised by Credit Card Companies System devised by Credit Card Companies (i.e. banks…)(i.e. banks…) https://www.pcisecuritystandards.org/
Guidelines for a number of years…Guidelines for a number of years… Now with v3 a sting in the tail for the SMENow with v3 a sting in the tail for the SME
heavy fines possibleheavy fines possible can be refused business merchant facilities…can be refused business merchant facilities…
Will affect small businesses WORLDWIDE Will affect small businesses WORLDWIDE selling online directly to consumersselling online directly to consumers
Requirements for PCI DSS Requirements for PCI DSS compliance? (1)compliance? (1)
12 controls (11 Technical)12 controls (11 Technical) Install and maintain a firewall configuration Install and maintain a firewall configuration
to protect cardholder datato protect cardholder data Do not use vendor-supplied defaults for Do not use vendor-supplied defaults for
system passwords and other security system passwords and other security parametersparameters
Protect stored cardholder dataProtect stored cardholder data Encrypt transmission of cardholder data Encrypt transmission of cardholder data
across open, public networks across open, public networks Use and regularly update anti-virus software Use and regularly update anti-virus software
or programsor programs
What is needed for PCI What is needed for PCI DSS compliance? (2)DSS compliance? (2)
Develop and maintain secure systems and applications Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-Restrict access to cardholder data by business need-to-know know
Assign a unique ID to each person with computer access Assign a unique ID to each person with computer access
Track and monitor all access to network resources and Track and monitor all access to network resources and cardholder data cardholder data
Regularly test security systems and processes Regularly test security systems and processes
Maintain a policy that addresses information Maintain a policy that addresses information security for employees and contractorssecurity for employees and contractors
PCI DSS issuesPCI DSS issues
Is it realistic?Is it realistic? Is it essential?Is it essential? How can it be policed?How can it be policed?
Discussion in groups…Discussion in groups…
IASME & Cyber EssentialsIASME & Cyber Essentials
IASME uses principles of ISMS and IASME uses principles of ISMS and like ISO27001 uses 100+ controls… like ISO27001 uses 100+ controls… but designed to be more SME but designed to be more SME friendlyfriendly
Cyber Essentials requires only 5 Cyber Essentials requires only 5 controls… all essentially technicalcontrols… all essentially technicalCyber Essentials now a minimum for Cyber Essentials now a minimum for
government contractsgovernment contractsuseful starting point? No IS policy!useful starting point? No IS policy!
Useful Technical Knowledge Useful Technical Knowledge (covered in level 1 & 2 (covered in level 1 & 2
modules)modules) Client-server networkingClient-server networking The Seven OSI software layers & The Seven OSI software layers &
the TCP/IP protocol stackthe TCP/IP protocol stack Web servers and browsersWeb servers and browsers The importance of updatesThe importance of updates How firewalls fit in with the How firewalls fit in with the
above…above…
Security of Data on the Security of Data on the move: Internal networksmove: Internal networks
Most organisational computers regularly Most organisational computers regularly interchange datainterchange data
Data could in theory be copied (although Data could in theory be copied (although not destroyed) by being intercepted:not destroyed) by being intercepted: as it passes between computers through use as it passes between computers through use
of e/m waves (easy)of e/m waves (easy) in copper cables (difficult)in copper cables (difficult) In optical fibre cables (very difficult)In optical fibre cables (very difficult)
The organisation therefore needs to The organisation therefore needs to vigilant…vigilant…
Security and copper Security and copper cablescables
UTP (Unshielded Twisted Pair) cable is UTP (Unshielded Twisted Pair) cable is cheap, but not totally secure:cheap, but not totally secure: electricity passing through a cable creates a electricity passing through a cable creates a
magnetic field…magnetic field… can then be intercepted and used to can then be intercepted and used to
recreate the original signal…recreate the original signal…
Shielding stops the magnetic field Shielding stops the magnetic field spreading outspreading out STP (Shielded Twisted Pair) cabling STP (Shielded Twisted Pair) cabling
available but more expensive…available but more expensive…
Security, cost and Security, cost and Fibre Optic CablesFibre Optic Cables
Much more secure than even shielded Much more secure than even shielded coppercopper digital data transmitted as a high intensity digital data transmitted as a high intensity
light beamlight beam no associated magnetic field; data can’t be no associated magnetic field; data can’t be
“tapped”“tapped” Can carry much more data than twisted Can carry much more data than twisted
pairpair but:but:
» cost… of cables… of installation…cost… of cables… of installation…
Which to choose, UTP, STP, optical fibre?Which to choose, UTP, STP, optical fibre? cost v risk balancing actcost v risk balancing act
Security and Radio WavesSecurity and Radio Waves System easy to installSystem easy to install
no cabling needed, just signal boostersno cabling needed, just signal boosters
BUT… without encryption & BUT… without encryption & authentication, not secure at all!authentication, not secure at all! can be received by anyone within range and can be received by anyone within range and
with the right equipmentwith the right equipment especially easy to pick up if transmitted as especially easy to pick up if transmitted as
“fixed spectrum”“fixed spectrum”» ““Spread spectrum” radio waves can only be Spread spectrum” radio waves can only be
picked up by equipment that can follow the picked up by equipment that can follow the changes in frequencychanges in frequency
such equipment MUCH more expensive…such equipment MUCH more expensive…
Security and Security and Network HardwareNetwork Hardware
Very small organisations may use Very small organisations may use peer-peer networking and peer-peer networking and cabling/wirelesscabling/wireless same dangers…same dangers…
Use intelligent hubs, switches, and a Use intelligent hubs, switches, and a router to connect everything together router to connect everything together and link to Internetand link to Internet data will be stored on these devices data will be stored on these devices
before forwardingbefore forwarding plenty of hacks started by compromising a plenty of hacks started by compromising a
router!router!
Standard Internet Standard Internet Protocols and SecurityProtocols and Security
Early Internet:Early Internet: users military personnel, research centre admin, etc. users military personnel, research centre admin, etc. all security vettedall security vetted protocols not designed with security in mindprotocols not designed with security in mind
» about getting data safely & reliably from one place to about getting data safely & reliably from one place to anotheranother
OSI model ordered protocols into a 7-layer OSI model ordered protocols into a 7-layer stack:stack: based on TCP and IPbased on TCP and IP
» user system security already built in at the session layeruser system security already built in at the session layer» no inherent security for data on the moveno inherent security for data on the move
Network-NetworkNetwork-Network Most networks now use TCP/IP for Internet Most networks now use TCP/IP for Internet
connectivityconnectivity Any intelligent device with an IP address Any intelligent device with an IP address
and connected to the Internet theoretically and connected to the Internet theoretically visible across the network/Internetvisible across the network/Internet otherwise, packets couldn’t be navigated to it!otherwise, packets couldn’t be navigated to it!
Data on such a device could be:Data on such a device could be: located using its IP addresslocated using its IP address copied to another destination using a remote copied to another destination using a remote
computer and an appropriate network protocol computer and an appropriate network protocol (e.g. NFS – network file system, part of the (e.g. NFS – network file system, part of the TCP/IP suite))TCP/IP suite))
It really is as simple as that!!!It really is as simple as that!!!
Copying, Changing, or Copying, Changing, or Deleting Data on a Deleting Data on a
networked computernetworked computer Data could be tapped in exactly the same Data could be tapped in exactly the same
way on any Internet computerway on any Internet computer must have an IP address to participate on the must have an IP address to participate on the
InternetInternet
packets going to that computer have a packets going to that computer have a destination IP address in the header, and destination IP address in the header, and headers can easily be readheaders can easily be read
NFS can be used to manage data remotely on NFS can be used to manage data remotely on that computer – which could include copying that computer – which could include copying or (perhaps worse) deleting that data, or even or (perhaps worse) deleting that data, or even BOTHBOTH
Technologies for Technologies for Implementing Security Implementing Security
ControlsControls The rest of this session focuses on The rest of this session focuses on
ensuring the security of data “on ensuring the security of data “on the move”…the move”…through cabling systemsthrough cabling systemsin radio wavesin radio wavesvia human transportation systems via human transportation systems
stored on digital mediastored on digital media» hard disks & CDshard disks & CDs» digital backup tapesdigital backup tapes» USB sticks…USB sticks…
Client-Server Network: do’s and Client-Server Network: do’s and don'ts for administrators don'ts for administrators
Only allow authorised (and TRUSTED) users to Only allow authorised (and TRUSTED) users to gain access to the networkgain access to the network ensure users are always properly authenticatedensure users are always properly authenticated
Only allow network administrators to have full Only allow network administrators to have full accessaccess
Monitor the network continually to provide alerts Monitor the network continually to provide alerts that unauthorised access is being soughtthat unauthorised access is being sought
Encrypt data that will be sent through UTP cables Encrypt data that will be sent through UTP cables and/or held on computers that are connected to and/or held on computers that are connected to the Internetthe Internet
When using the www, use secure versions of When using the www, use secure versions of network protocols and/or tunnelling protocols to network protocols and/or tunnelling protocols to encapsulate and hide dataencapsulate and hide data
The Virtual Private NetworkThe Virtual Private Network
Secure sending of data through the InternetSecure sending of data through the Internet
Only use a restricted and very secure set of Only use a restricted and very secure set of Internet routersInternet routers
No IP address broadcasting, because all packets No IP address broadcasting, because all packets use the same routeuse the same route
IP tunnelling protocol encapsulates dataIP tunnelling protocol encapsulates data» normal Internet users will therefore not be able to see normal Internet users will therefore not be able to see
the sending, receiving, or intermediate IP addressesthe sending, receiving, or intermediate IP addresses Data sent is encryptedData sent is encrypted
Potential hackers don’t get a look in!Potential hackers don’t get a look in!
Encyption/DecryptionEncyption/Decryption Technique of changing digital data Technique of changing digital data
in a mathematical reversible way in a mathematical reversible way Makes it impossible to get at the Makes it impossible to get at the
information… data representing it information… data representing it scrambledscrambled
Coding data not new…Coding data not new…been happening for millenniabeen happening for millenniamany clever techniques involvedmany clever techniques involvedEncryption studies - cryptographyEncryption studies - cryptography
What is Cryptography?What is Cryptography? ““The safe securing, storing, and transmitting The safe securing, storing, and transmitting
of sensitive information”of sensitive information”
Purpose: Purpose: conceal sensitive information from unauthorised conceal sensitive information from unauthorised
personspersons
Outlines protocols, practices, procedures to Outlines protocols, practices, procedures to build components of a build components of a cryptosystem cryptosystem including…including… authenticity (proof of ownership)authenticity (proof of ownership) integrity (data not tampered with in any way)integrity (data not tampered with in any way)
What is a Cryptosystem?What is a Cryptosystem?
Well?....Well?....
OSI layers and OSI layers and cryptosystemcryptosystem
Encryption level depends Encryption level depends on:on: circumstancescircumstances riskrisk value of informationvalue of information
could be layer 1could be layer 1 e.g. electronically, in e.g. electronically, in
communications equipmentcommunications equipment could be layer 7…could be layer 7…
encrypted directly from/to encrypted directly from/to the screenthe screen
Layer 7
Layer 1
screen
hardware
software
Key Escrow & RecoveryKey Escrow & Recovery Law enforcement agencies can Law enforcement agencies can
intervene to decode encypted dataintervene to decode encypted data under a court order in pursuit of criminal evidence or activityunder a court order in pursuit of criminal evidence or activity
Escrow: Escrow: system of checks and balances to ensure that system of checks and balances to ensure that
privacy rights are not infringed where agencies privacy rights are not infringed where agencies need to get hold of encrypted informationneed to get hold of encrypted information
separate agencies keep complementary separate agencies keep complementary components of the key system so no entity components of the key system so no entity possesses a usable keypossesses a usable key
Email data and Email data and EncryptionEncryption
As discussed earlier, sensitive data needs As discussed earlier, sensitive data needs protecting…protecting… Internet designed to be an “open” systemInternet designed to be an “open” system IDs of devices based on IP addressIDs of devices based on IP address
Data at rest or moving round the Internet Data at rest or moving round the Internet could be intercepted by:could be intercepted by: someone with a good knowledge of TCP/IPsomeone with a good knowledge of TCP/IP any IT literate person with the appropriate any IT literate person with the appropriate
softwaresoftware This person could be anywhere in the This person could be anywhere in the
world!world!
How does Encryption How does Encryption work?work?
Unencrypted data sent e.g. in forms or Unencrypted data sent e.g. in forms or email messages over the Internet email messages over the Internet usually a sequence of ASCII codesusually a sequence of ASCII codes
ASCII code generated at keyboard by ASCII code generated at keyboard by converting a selected keyboard character converting a selected keyboard character into a particular binary numberinto a particular binary number
intercepted ASCII codes not secret; very intercepted ASCII codes not secret; very easily converted back to texteasily converted back to text
Encryption of ASCII dataEncryption of ASCII data
Encryption puts further coding onto each Encryption puts further coding onto each ASCII character in some reversible way ASCII character in some reversible way before it is sent. Requires…before it is sent. Requires…
a coding method (often a mathematical a coding method (often a mathematical operation)operation)
a numerical value used with the coding methoda numerical value used with the coding method
The ASCII codes can always be recovered by The ASCII codes can always be recovered by someone who knows the encryption methodsomeone who knows the encryption method
Simple Encryption Simple Encryption ExampleExample
AlgorithmAlgorithm based on a mathematical based on a mathematical operation such as ADDoperation such as ADDkey based on a numerical digit (e.g 5)key based on a numerical digit (e.g 5)
DataData represented by an ASCII code represented by an ASCII code
Algorithm + key produce Algorithm + key produce encrypted encrypted data data
Using EncryptionUsing Encryption
The key must be kept secretThe key must be kept secretanyone with access to the key and the anyone with access to the key and the
algorithm can decrypt the encrypted algorithm can decrypt the encrypted data data
BOTH of:BOTH of:coding methodcoding methodkey used to produce cipher text key used to produce cipher text
needed to decryptneeded to decrypt
DiagramDiagram – single key – single key encryptionencryption
User sends message
via server
server
key
Data is transmitted to
another server
key
Message is coded
Message is decoded
Message is received
Simple example of an Simple example of an Encryption MethodEncryption Method
Method of encryption – add 5 to each Method of encryption – add 5 to each ASCII code (this would be the key)ASCII code (this would be the key) plain text = HELLO (ASCII codes 48 45 4B plain text = HELLO (ASCII codes 48 45 4B
4B 4F)4B 4F) cipher text would be MJQQT (ASCII codes 4D cipher text would be MJQQT (ASCII codes 4D
4A 50 50 54)4A 50 50 54) Getting the original data back would Getting the original data back would
mean subtracting 5 from each ASCII mean subtracting 5 from each ASCII character – very easy to anyone with character – very easy to anyone with access to the keyaccess to the key
Effectiveness of Effectiveness of EncryptionEncryption
Only effective if:Only effective if: either the key remains secreteither the key remains secret or the algorithm remains secretor the algorithm remains secret
WWII: Germans thought they had an WWII: Germans thought they had an encryption method that was impossible encryption method that was impossible to decipherto decipher
With the efforts of the Mathematicians With the efforts of the Mathematicians at Bletchley Park, the key and algorithm at Bletchley Park, the key and algorithm were decipheredwere deciphered
Access to Encrypted DataAccess to Encrypted Data
Stored, encrypted file
NTFS
EFS enabled
File system that supports encryption
Authorised User
Unauthorised User
Dataencrypted
Access Denied
Fileaccessed
“MJQQT”
“HELLO”
Encryption in PracticeEncryption in Practice Many techniques have been developed Many techniques have been developed
Examples:Examples: DES (Data Encryption Standard)DES (Data Encryption Standard) IDEA (ID Encryption Algorithm)IDEA (ID Encryption Algorithm) RSA (Rivest, Shamir, Adleman)RSA (Rivest, Shamir, Adleman) Diffie-HellmannDiffie-Hellmann
Classified into two types:Classified into two types: Symmetric KeySymmetric Key Asymmetric KeyAsymmetric Key
Symmetric EncryptionSymmetric Encryption SSender and receiver share a single, ender and receiver share a single,
common keycommon key – known as a – known as a symmetric symmetric keykey
UUsed sed both both to encrypt and decrypt the to encrypt and decrypt the messagemessage
Advantages: Advantages: simpler and faster than simpler and faster than other systemsother systems
Disadvantages:Disadvantages: the two parties must the two parties must need toneed to exchange the exchange the
key in a secure waykey in a secure way the sender cannot easily be authenticatedthe sender cannot easily be authenticated
DES – an example of DES – an example of symmetric encryptionsymmetric encryption
IBM/US gov, 1974-7; IBM/US gov, 1974-7; still popularstill popular 56-bit encryption working on 64-bit blocks of data56-bit encryption working on 64-bit blocks of data
However, in view of recent research, clearly However, in view of recent research, clearly inadequate for really secure encryptioninadequate for really secure encryption ““Using P2P architecture and over 100,000 Using P2P architecture and over 100,000
participants (using only idle CPU time), participants (using only idle CPU time), distributed.net was able to test 245 billion keys distributed.net was able to test 245 billion keys per second to break the 56 bit DES encryption per second to break the 56 bit DES encryption algorithm in less than 24 hours (22 hours and 15 algorithm in less than 24 hours (22 hours and 15 minutes).”minutes).”
What levels of encryption What levels of encryption are available?are available?
The more complex the key, the The more complex the key, the more difficult the encryption more difficult the encryption method is to deciphermethod is to deciphera single 40-digit key can be a single 40-digit key can be
mathematically deduced very mathematically deduced very quickly using a computerquickly using a computer» known as WEAK encryptionknown as WEAK encryption
an equivalent 128-digit key would an equivalent 128-digit key would take much longer to “crack”take much longer to “crack”» known as STRONG encryptionknown as STRONG encryption
Making Encryption as Making Encryption as Effective as PossibleEffective as Possible
It makes sense to use 128-digit key It makes sense to use 128-digit key encryption if possible….encryption if possible….
However, with commercial products there However, with commercial products there may be trade offs…may be trade offs… e.g. Verisign 40-bit SSLe.g. Verisign 40-bit SSL
» actually 128-bit within USactually 128-bit within US» 40-bit for any communications that go outside 40-bit for any communications that go outside
US borders…US borders… e.g. e.g. Verisign Global Server SSLVerisign Global Server SSL
» ““the world’s strongest encryption”the world’s strongest encryption”» standard for large-scale online merchants, standard for large-scale online merchants,
banks, brokerages, health care organisations banks, brokerages, health care organisations and insurance companies worldwideand insurance companies worldwide
Strong encryption may cost a little moreStrong encryption may cost a little more Is the extra expense going to be justified?Is the extra expense going to be justified?
Breaking an Breaking an Encryption TechniqueEncryption Technique
Usually achieved with the aid of very Usually achieved with the aid of very powerful computerspowerful computers
The more powerful the computer, the The more powerful the computer, the more likely that the key can be more likely that the key can be mathematically deducedmathematically deduced
Until fairly recently, a 128-bit encryption Until fairly recently, a 128-bit encryption key would have been considered to be key would have been considered to be secure secure
However, a research team have now However, a research team have now succeeded in breaking 128 bit encryption succeeded in breaking 128 bit encryption in seconds, using a supercomputer…in seconds, using a supercomputer…
Secure Keys for Today and Secure Keys for Today and Tomorrow…Tomorrow…
256-bit encryption is probably now a 256-bit encryption is probably now a minimum for single key encryptionminimum for single key encryption but only a matter of time…but only a matter of time…
512-bit encryption is currently used by 512-bit encryption is currently used by financial institutions to transfer funds financial institutions to transfer funds electronically via the Internetelectronically via the Internet again, only a matter of time before even again, only a matter of time before even
this can be cracked…this can be cracked… Solution - 1024 bit keys?Solution - 1024 bit keys?