bill's blog

Just another WordPress weblog

Browsing Posts tagged encryption

In an odd twist of faith, risk assessment and encryption follow many of the same principles. It’s about indentifying what the data is worth and the putting a value to it. Once that is done, protecting the data becomes a matter of pain threshold. In other words, what can we afford to lose and how much will it cost use to protect it. In encryption the principle in effect is… How long will it take someone to crack the encryption and will the data still be valuable when they do. It is tricky to assess pain threshold as everyone feels like his or her data is the most important to the organization. Certainly trade secrets and financials rate high on the pain threshold index. BUT what about creative artwork? It depends. Is time to market critical? Or is there a feature set that will put your organization far in front of the competition? These are all questions that need to be answered before one can determine the worth of the data being protected.

Ultimately, if you want to deploy a technology it’s up to you to determine the ROI and present it to the holders of the purse strings. It’s up to you to convince them that what you’re trying to do is worth the investment.

Data Encryption is an often-overlooked aspect of computer usage. For many years encryption was looked at as a technology to protect your data as it transverses the Internet. But what about the data that is at rest on your computer? We’ve all read about the VA’s data loss 26.5 million individuals were exposed. An analyst had taken home the database of veterans’ names, dates of birth, Social Security numbers, and some health records to work on a project, according to the VA (Gross, 2006). One key aspect to protecting data is employee education. Employees need to respect the data they are dealing with. Complacency is a big issue. Like anything else, the more you use something the more comfortable you become with using it. Picking up a chainsaw for the first time and using it you know the potential hazards of its misuse and treat it with kid gloves… the more you use a chainsaw the more comfortable you are. The device is no less hazardous but the precautions you took, as a novice seems to make way for more nonchalant use.

So what to do about this? Well There are varying schools of though on this. One way is to encrypt the entire hard drive. When the user first turns on their computer they need to enter a password to unlock the drive and begin the boot process. The nice thing about this is the end-user only needs to worry about unlocking the computer with a password and then everything stored on the computer is encrypted. The bad thing is it the password to unlock the drive is lost… So is everything on the computer. The latest release to the PGP® Encryption Platform, PGP Whole Disk Encryption 9.9 adds pre-boot authentication to the proven PGP Corporation data encryption technology for Intel-based Mac OS X systems “Tiger” and “Leopard,” providing protection for data on desktops, laptops, and removable media (pgp.com, 2008).

The other school of thought is to only encrypt the user space. There are various ways to accomplish this and Apple provides a number of solutions right out of the box. The Ponemon Institute is an advocacy group that deals with the information and privacy issues. According to their findings in 2007, the cost of a data breach was approximately $197 per record, an increase of more than 40 percent since 2005 (Bocek, 2008). Now that may not seem like much but if you figure that number into the amount of records exposed in the VA breach, that’s 5.2 trillion dollars. Ouch! SO how has Apple made it easy to protect data that resides on your computer? Apple has two technologies that can be used to both store and securely erase data on your hard drive. They are:

1. FileVault
2. Encrypted Disc Images

FileVault

The main premise behind File Vault is that each users’ home directory is stored on an encrypted disk image. The disc image is created using the users password. The image is only unlocked when the user logs in. This eliminates the possibility of accident data loss due to bad file permission of the users’ part in environments where users share machines. One feature that is different from traditional whole disk encryption schemes is that in addition to the users’ password being used to encrypt the image, you can set up a master password for all FileVault images stored on your machine. Some may see this as a security whole BUT in enterprise based Environments this is a godsend! How many times during a typical week are you called for a password reset?

de_figure1
Figure 1 Security Preference Pane

Turning on FileVault is extremely simple. In System Preferences, select the Security Pane; you are now presented with everything you need to get the process stated. Clicking on the “Set Master Password…” button with present out a dialogue sheet to set the master password for the machine. Fill is the password and then verify, as this dialogue will display “•” when entering character into the password fields. One may be tempted to add a password hint. This is generally NOT a good idea!

de_figure2
Figure 2

Additionally, Apple provides a password strength tool. By Clicking on the key next to the “Master Password:” field (see figure 3) the tool will be presented.

de_figure3
Figure 3. Password Assistant Tool

Note: The password is presented in clear text. The better the password the further to the right the green bar extends.
Once this is completed your all set up with encrypted home directories. When setting up FileVault accounts for the first time, some time is required to do the actual encryption. Depending on how large your existing home directories are will determine how much coffee you’ll need to drink.

Encrypted Disc Images

Encrypted disc images are very similar to FileVault directories with two major differences. One they are portable. You can copy the image from machine to machine. The contents of the images are encrypted, so if you happen to put the image onto a flash drive and loss it your data is protected. Two… There are no master passwords to help you out should you forget your password. So you can forget the magic bullet to help you out. Your data is lost!

To create an encrypted disc image open Disk Utility. It can be found in /Applications/Utilities. Select “New Image” from the toolbar across the top of the main window. This will present you with a dialogue box where you can indicate where you want the image saved, how big you want it, what type of file system to lay down and most importantly in terms of this discussion, how strong you want the security to be. If you’re in an environment that makes of PKI using PGP, you can leverage the power of PGP’s whole disc encryption to encode the entire flash drive. Then when you insert the flash drive into your machine PGP will automatically open the image and display it on your desktop. You can accomplish the same thing by adding the password of the encrypted image into you Keychain. This will yield the same results but it’s more tedious in so far as you need to load the password onto all the machines that the flash drive will be used on. This is very labor intensive if your dealing with 500 flash drives and 500 computers.

de_figure4
Figure 4

For all of those in the government sector, selecting 256-bit encryption will yield a FIPS -140-2 compliant disc image (see figure 4).
Encrypting data at rest is simple… And not as expensive as the loss of data can be. Recently, the case of the 2006 Department of Veterans Affairs data loss resulting from the theft of an unencrypted laptop containing the names, birth dates and Social Security numbers of approximately 26.5 million veterans was settled.
“The settlement with the Department’s members and families over their alleged invasion of privacy should be a severe warning to any organization that isn’t using encryption on its laptops and other portable devices capable of data storage,” said Michael Callahan, vice president at encryption specialist Credant (Thomson, 2009).

The cost… $20 million… certainly less than the cost of encryption.

Resources:

Bocek, K. &Ma, T., (2008), Data Encryption for Dummies, Indianapolis, IN: Wiley Publishing

Gross, G., (2006, May 5), VA data loss could prompt federal privacy law, Retrieved on Feb 3, 2009 from http://www.networkworld.com/news/2006/060506-va-data-loss-could-prompt.html

Thomson, I., (2009, Jan 28), US veterans win $20m payout over lost laptop, Retrieved on Feb 3, 2009 from http://www.vnunet.com/vnunet/news/2235300/va-fined-million-breach

Unknown, (2008, June), PGP Corporation Delivers Pre-Boot Authentication to PGP Whole Disk Encryption for Mac OS X Users Retrieved on Feb 3, 2009 from http://www.pgp.com/newsroom/mediareleases/wde_for_mac_osx.html

Today, more and more people are using the Internet to conduct business transactions. One thing that is for certain, the Internet is not a private place.

Nefarious individuals can easily read email messages that are sent over the Internet. Additionally, it’s not hard to send an email as someone else and if the receiver of the email is not careful they will assume that it came from the individual whose email address was just spoofed. A second area of concern is the increase of e-commerce web sites. More and more businesses are aware of the consumer spending that happens on the Internet and are setting up websites to cash in on this spending. Any miscreant can set-up a website and abuse consumer trust. How is a consumer to know that they are actually dealing with whom they think they are buying from? Additionally, there is the credit card transaction that is needed for the payment of goods. Most web traffic is sent via clear text. How is my credit card information protected?

Caveat emptor? So how do we safeguard this information? Digital certificates!

Digital certificates ensure three things, one that the entity is really who they say they are, two that the message is kept private through the use of encryption and three that the message has not been tampered with. Digital certificates make use of asymmetrical keys. The security afforded by asymmetric cryptosystems depends on mathematical problems that are difficult to solve, such as factoring large integers into primes (Mactaggart, 2001). Asymmetrical encryption includes a private key and a public key. They are used for the encryption process and they serve a few different roles. First the public key is used to encrypt data that only the corresponding private key can only be decrypted. This process secures the information that is put out on the wire. The private key is used to encrypt data that the owner of the key wishes to share. This process vouches that the information is truly from the individual that sent it. It is for this reason that the appropriate safeguards are put into place to secure the private key. The next thing that is part of a digital certificate is the entity’s information. Entity is used because the information can be an individual, organization or a computer. This is the information that tells the relationship between such things as the user’s name and their email address or a company’s name and where they’re located or a particular computer and it’s associated Fully Qualified Domain Name (FQDN). The last thing that is part of a digital certificate is a trusted third party endorsement. There are various different ways to do this. One of the most common is to use a well-known Certificate Authority (CA) such as Verisign. A CA issues Digital Certificates that contain public key and private key pairs. The CA also attests that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate (Various, 2007).

There are two common uses for digital certificates, one to secure web (or other network) transactions and two to confirm the identity of the entity your dealing with.

SSL or Secure Sockets Layer Certificates serve to combat the problems of sending sensitive data over the Internet. SSL provides your Web site’s users with the assurance of access to a valid, “non-spoofed” site, and it prevents data interception or tampering with sensitive information. Support for SSL is built into all major operating systems, web applications, and server hardware (verisign.com, 2005). This becomes particularly important when dealing with e-commence transaction. Most business transactions on the Internet contain some kind of sensitive information. In the real world things like credit card numbers, social security numbers, bank account numbers are often closely guarded and the individual controls access to this information. As mentioned above the Internet is not private and without encryption your private information can be easily read.

SSL connections make use of both asymmetrical and symmetrical encryption. The first thing that happens in an SSL connection is the client computer makes a network connection with a server that is using SSL certificates. This happens on various different ports depending on which protocol (WEB, POP, SMTP, etc) is being used. The server then passes the client computer its public key. At this step the client needs to determine whether or not to accept this public key. There are various methods to check the validity of the key. It can check that the public key and the server’s FQDM match. It checks to make sure that the key has not been revoke or is expired. It checks the endorsement or issuer of the key and verifies them as a trusted party. Once the trust is established, the client will create a session key. The client takes that key and encrypts it with the server’s public key. It then encrypts that with it’s (the client’s) private key. This is done so that the server knows that the encrypted session key is really coming from the client. The server decrypts the session key and uses the session key to encrypt all data thereafter. The session key is an example of symmetrical encryption, both sides are using the same key to encrypt and decrypt the information.

The use of Digital IDs is designed to combat the misuse of email systems and to assure the email’s recipient that the email is truly from the sender. A Digital ID makes it possible to verify someone’s claim that they have the right to use a given key, helping to prevent people from using phony keys to impersonate other users (nrc.gov, 2000). Digital IDs make use of public/private keys. All for public/private key encryption depends on trust and making sure that the keys are real.

Digital ID’s work by hashing the text message you want to send. The hashed message creates what’s called a Message Digest or MD. The MD is then encrypted with the sender’s private key. This creates what is called a Digital Signature for that message. The recipient of the message then decrypts the digital signature using the sender’s public key. The recipient must also hash the text message to get an MD. The unencrypted MD is compared to the MD that the recipient created and if the two match then the message is known to have come from the sender. The use of Public/Private keys relies of the proper protection of the private key. It is assumed that proper measures have been put into place to protect the private key and that only the owner of the private key has access to it.

So how do we know that the keys we are dealing with are valid and trusted? There are two different ways this is done. One is with the use of PKIs or public key infrastructure systems. A PKI contains the certificate storage facilities of a certificate server, but also provides certificate management facilitates (the ability to issue, revoke, store, retrieve, and trust certificates) (pgpi.org, 1999). Examples of well-known PKIs are Commercial CAs such as Verisign or Geotrust. These organizations are trusted because they perform the due diligence to ensure that the certificate that they issue is indeed being given to the rightful owner. The other way is through a Web of Trust. The WOT is a trust model adapted from the original PGP (Pretty Good Privacy) Web of Trust, whereby people certify one another in order to establish a level of trust among people who have never met (thawte.com, 2004). The WOT relies on other individuals to endorse or verify the validity of other members credentials. With this system you trust a much bigger group.

References

Mactaggart, Murdoch, (2001, March 1). Introduction to cryptography, Part 3: Asymmetric cryptography, Retrieved March 7th from http://www-128.ibm.com/developerworks/library/s-crypt03.html

Unknown, (1999). How PGP Works, Retrieved March 9th from http://www.pgpi.org/doc/pgpintro/#p14

Unknown, (2000). NRC- Introduction to Authentication, Retrieved March 11th from http://www.nrc.gov/site-help/e-submittals/faqs/intro-auth.html

Unknown, (2004, July 14). Protect your E-Mail and Join the thawte Web of Trust, Retrieved March 8th from http://www.thawte.com/wot/index.html

Unknown, (2005, May 24). What Every E-Business Should Know about
SSL Security and Consumer Trust, Retrieved March 8th from http://www.verisign.com/static/017444.pdf

Various, (2007, March 6). Certificate authority, Retrieved March 11th from http://en.wikipedia.org/wiki/Certificate_Authority