Joseph Webster, CISSPSenior Member IEEEBSEE Colorado State UniversitySoftware and Systems Security ArchitectFounding member of ShieldMyfiles

Encryption ≠ Protection

A proposed framework for thinking

about file security

June 9th, 2015

Introduction 1.0

HELLOmy name is

HELLOmy name is

HELLOmy name is

Alice Needs Bob’s File.

But…

Bob’s file is sensitive

and Bob doesn’t

want anyone but

Alice to see it.

Introduction 1.1

Bob fears for the Security

of his files in the cloud

After All Bob Doesn’t Control His

Cloud

Bob Has Some Concerns…

Introduction 1.1

Bob Doesn’t Want to Exchange Keys or

Certificates …

Login Vignette Production Slide

It Shouldn’t Take a Portal to Share a Single File!

Bob Doesn’t Have Time to Manage a

Million User Accounts!

Introduction 1.1

1234

1040

20

You Can’t Keep a Secret By Telling It!

A Framework For File Protection

There are 3 Tenets to this Framework:

1) Obfuscation

2) Access Controls

• Who

• How

• When

• Where

Files may be accessed

3) Auditability

Requiring Separation of Duties

Obfuscation

Obfuscation = Custody

Physical World

$

• Protection without Possession

• Bank

Digital World

• Encryption

• Enciphering

• Steganography

• Safety Deposit Box

Access Controls

Access Controls = Authorization

Physical World - Bank

• Hours of Operation

Digital World

• Signature Card

• Finger Print

• Physical Location

• Account Number

• Where – Geolocation

• When – Expiration

• Who – Biometrics

• Who – Password

• How – UserID

Section 3 – Transaction History

Time:

Signature Card: Finger Print:

Account:

Auditability

000-7-17-12-0-14-26 - Super Secret Bank - Zurich

Auditability = Auditability

Physical World – Bank Statement

• Account/User Information

Digital World

• Transaction History

• Transaction Information

• Identifying Information

• Transaction Information

• Transaction History

• Recreate a system state, and events

over time, for post facto

identification of problems

Alice’s Statement

Section 1 – Identifying Information

Section 2 – Transaction Information

Date: Not a Holiday, Not a Weekend.

Applying the Framework

TRUECRYPT

1. Obfuscation

2. Access Controls

3. Auditability

Separation of Duties

Obfuscation

~ Access Controls

X Auditability

• Uses Derived Key Cryptography

• Public/Private Key

1. Obfuscation

2. Access Controls

3. Auditability

Separation of Duties

• Uses Derived Key Cryptography

• Passphrase/Key Files

Obfuscation

~ Access Controls

X Auditability

Applying the Framework Cloud

1. Obfuscation

2. Access Controls

3. Auditability

Separation of Duties

~ Obfuscation

Access Controls

Auditability

• Yes, but not from Google

• Passphrase, Multifactor, Share

1. Obfuscation

2. Access Controls

3. Auditability

Separation of Duties

• AES256/TLS256

• Passphrase, Plugins, Sharing

~ Obfuscation

Access Controls

Auditability• Work Edition • Very Nice Dashboards

Meeting the Framework

1. Obfuscation

2. Access Controls

3. Auditability

Separation of Duties

• Deriving/Issuing keys can be dangerous

especially with cloud services

• Need multiple avenues for

authorization to fit security to need

• Chain of custody is essential

• Only works if keys are not

derived/issued by the Obfuscation,

Access Control and Auditability provider

• Protection WITHOUT Possession

TRUECRYPT

Joseph Webster, CISSPjoe@shieldmyfiles.com

Joseph.Webster@ieee.org

J. Max Romanik, J.D., M.B.A.max@shieldmyfiles.com

Christopher S. Webster, J.D.

chris@shieldmyfiles.com

https://www.shieldmyfiles.com/

Contact Us Learn More