4 . Encryption Data Loss Prevention - Asecuritysite · Data Loss Prevention 4 . Encryption x Public...

Author: Prof Bill Buchanan

Data Loss Prevention

4. Encryption Public/private key.

Hashing.

Digital Certificates.

Disk Encryption.

Tunnels.

http://asecuritysite.com/dlp

Intr

oduc

tion

Enc

rypt

ion Trusted third party

Intruder


Bob

Trent

Alice

Eve

Privacy (Private Key)

Identity (Public Key)

Integrity (Public/Private Key)

John

John

Enc

rypt

ion


Encryption/

Decryption

Public key

Private key Public key

Private keyUsed to authenticate (RSA)

Key exchange (Diffie-Hellman)

Secret key used to encrypt/decrypt

(DES/3DES/AES)

Con

clus

ion

Enc

rypt

ion


Communications

Channel

Encryption/

Decryption

Encryption/

Decryption

BobAlice

Eve

Public key

Private key Public key

Private key

Typical application:

Diffie-Hellman used to generate private-key.

Public-key used for authentication.

Private-key used for encryption.

Used to authenticate (RSA)

Key exchange (Diffie-Hellman)

Secret key used to encrypt/decrypt

(DES/3DES/AES)

John

John

John

John

RSA 2048 bits

Replace by:

ElGamal 160bits


Da

ta L

oss

Det

ecti

on

/

Pre

ven

tio

n

Block or Stream?

Priv

ate-

key

met

hods

Enc

rypt

ion


RC4. This is a stream encryption algorithm, and is used in wireless

communications (such as in WEP) and SSL (Secure Sockets).

RC4IV and

Key

+

Data stream

(eg 0101010 …. 010)

Pseudo infinite stream

(eg 1110000 … 100)

The IV (Initiation Vector)

gives variation in the

output for the same key

Cipher stream

(eg 1010110 … 110)

Data stream 0101010 … 010

Pseudo infinite stream 1110000 … 100

Cipher stream 1010110 … 110

+

Ex-OR operator


Dat

a L

oss

Det

ecti

on

/

Pre

ven

tio

n

Private Key

Priv

ate

key

Enc

rypt

ion


RC2. RC2. RC2 ("Rivest Cipher") is

a block cipher, and is seen as a

replacement for DES. It was created

by Ron Rivest in 1987, and is a 64-

bit block code and can have a key

size from 40 bits to 128-bits (in

increments of 8 bits). The 40-bit key

version is seen as weak, as the

encryption key is so small, but is

favoured by governments for export

purposes, as it can be easily

cracked. In this case the key is

created from a Key and an IV

(Initialisation Vector). The key has

12 characters (96 bits), and the IV

has 8 characters (64 bits), which go

to make the overall key.

DES. DES encryption algorithm is

block cipher and uses a 64-bit block

and a 64-bit encryption key.

3DES. DES encryption algorithm is

block cipher and uses a 64-bit block

and a 64-bit encryption key (of which

only 56 bits are actively used in the

encryption process). Unfortunately

DES has been around for a long

time, and the 56-bit version is now

easily crackable (in less than a day,

on fairly modest equipment). An

enhancement, and one which is still

fairly compatible with DES, is the 3-

DES algorithm. It has three phases,

and splits the key into two. Overall

the key size is typically 112 bits

(2x54 bits - with a combination of the

three keys - of which two of the keys

are typically the same). The

algorithm is EncryptK3( DecryptK2(

EncryptK1(message), where K1 and

K3 are typically the same (to keep

compatibility).

DES

Bruce Schneier created Twofish with

a general-purpose private key block

cipher encryption algorithm.

RC2

AES

AES. AES (or Rijndael) is a new

block cipher, and is the new

replacement for DES, and uses 128-

bit blocks with 128, 192 and 256 bit

encryption keys. It was selected by

NIST in 2001 (after a five year

standardisation process). The name

Rijndael comes from its Belgium

creators: Joan Daemen and Vincent

Rijmen.

Blowfish

Blowfish. Bruce Schneier created

Blowfish with a general-purpose

private key block cipher encryption

algorithm.

Blowfish (with CBC). Blowfishcbc.

With CBC we split the message into

blocks and encrypt each block. The

input from the first stage is the IV

(Initialisation Vector), and the input

to the following stages is the output

from the previous stage. In this

example we will use Blowfish to

encrypt, using CBC.

Twofish

Skipjack. Skip jack. Skipjack is a

block cipher, using private-key

encryption algorithm, and

designed by NSA.

Camellia. Camillia is a block

cipher created by Mitsubishi and

NTT.

RC4. RC4 is a stream cipher

used in WEP (in wireless

encryption).

Affine. Affine is a stream cipher

which uses an equation to

encrypt.

Others

DES

(Enc)

DES

(Dec)

DES

(Enc)

K1

K2

K1


Da

ta L

os

s D

etec

tio

n/

Pre

ven

tio

n

Key Exchange

Logs

Enc

rypt

ion


BobAlice

Eve

AxAy

(Ax)y Axy

A(x+y)

John

John

Logs

Enc

rypt

ion


BobAlice

Eve

Private key

Ax AY

yx AAgreed number

Random value Random value

AxAY

Logs

Enc

rypt

ion


BobAlice

Eve

Ax AY

yx AAgreed number

Random value Random value

AxAY

(AY)x (Ax)y


Da

ta L

os

s D

etec

tio

n/

Pre

ven

tio

n

Public Key

RS

AE

ncry

ptio

n


Select two primes (p,q)

Next, the n value is calculated. Thus:

n = p x q = 11 x 3 = 33

Next PHI is calculated by:

PHI = (p-1)(q-1) = 20

e selected so that GCD(e,PHI)=1

Public key: (n,e)

Pub

lic-k

ey e

ncry

ptio

nE

ncry

ptio

n


Bob Select two prime numbers: a and b

n = a x b

e is chosen so that e and (a-1)x(b-1)

are relatively prime (no common

factor greater than 1)

Public key is now: <e,n>

d = e-1 mod [(a-1)x(b-1)]

Private key is now: <d,n>

Generating public and private keys

http://buchananweb.co.uk/rsa.zip

Pub

lic-k

ey e

ncry

ptio

nE

ncry

ptio

n


Public key are keys which

relate to extremely large prime

numbers (as it is difficult to

factorise large prime

numbers). It is extremely

difficult to determine a private

key from a public key.

Public-key

Communications

ChannelEncryption Decryption

BobAlice

Eve

Public key

Private key

Public key

Private key

Public key generates two keys: A

public key and a private one. These are

special in that if one is applied to encrypt,

the other can be used to decrypt

Pub

lic-k

ey e

ncry

ptio

nE

ncry

ptio

n


Once Bob encrypts the

message, the only key

which can decrypt it is

Alice’s private key.

Bob and Alice keep their

private keys secret.

Public-key

Communications


BobAlice

Eve

Public key

Private key

Public key

Private key

Hello

H&$d.

Hello

B

C

D

A

A. Bob creates the message.

B. Bob encrypts with Alice’s public key

and sends Alice the encrypted message

C. Alice decrypts with her private key

D. Alice receives the message


Dat

a L

oss

Det

ecti

on

/

Pre

ven

tio

n

Hash Values

Mes

sage

Has

hA

uthe

ntic

atio

n


How do we get a finger-print for data?

Bob

Solved by Prof Ron Rivest

with the MD5 hash

signature.

Data

Hello. How are you? Is

this okay?

EveWith a

fingerprint we

can hopefully tell

if Eve has

modified any of

the data

MD5 hash algorithm

Mes

sage

Has

hA

uthe

ntic

atio

n


Bob

Hashing

Algorithm (MD5)

- 128 bit signature

hello

MD5 hash algorithm

XUFAKrxLKna5cZ2REBfFkg

ixqZU8RhEpaoJ6v4xHgE1wHello

CysDE5j+ZOUbCYZtTdsFiwHello. How are you?

j4NXH5Mkrk4j13N1MFXHtgNapier

Base-64

hello 5D41402ABC4B2A76B9719D911017C592

8B1A9953C4611296A827ABF8C47804D7Hello

CC708153987BF9AD833BEBF90239BF0FHello. How are you?

8F83571F9324AE4E23D773753055C7B6Napier

Hex

Mes

sage

Has

hA

uthe

ntic

atio

n


Bob

Hashing

Algorithm (SHA-1)

- 160 bit signature

hello

SHA-1 hash algorithm

qvTGHdzF6KLavt4PO0gs2a6pQ00=

9/+ei3uy4Jtwk1pdeF4MxdnQq/A=Hello

Puh2Am76bhjqE5lbTWtwsqbdFC8=Hello. How are you?

v4GxNaVod2b09GR2Tqw4yopOuro=Napier

Base-64

hello AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434D

F7FF9E8B7BB2E09B70935A5D785E0CC5D9D0ABF0Hello

3EE876026EFA6E18EA13995B4D6B70B2A6DD142FHello. How are you?

BF81B135A5687766F4F464764EAC38CA8A4EBABANapier

Hex

Mes

sage

Has

hA

uthe

ntic

atio

n


Bob

Hashing

Algorithm (MD5)

- 128 bit signature

Security and mobility are two

of the most important issues

on the Internet, as they will

allow users to secure their

data transmissions, and also

break their link with physical

connections.

MD5 hash algorithm

Base-64

8A8BDC3FF80A01917D0432800201CFBF

Hex

F94FBED3DAE05D223E6B963B9076C4EC

Security and mobility are two

of the mast important issues

on the Internet, as they will

allow users to secure their

data transmissions, and also

break their link their physical

connections.

+U++09rgXSI+a5Y7kHbE7A==

iovcP/gKAZF9BDKAAgHPvw==

Has

h m

etho

dsH

ash


root@kali:~# echo -n “hello” | openssl md5

(stdin)= 5d41402abc4b2a76b9719d911017c592

root@kali:~# echo -n “hello” | md5sum

5d41402abc4b2a76b9719d911017c592 -

root@kali:~# openssl md5 pw

MD5(pw)= 859b6a9be3b45262c4414bd1696ba91b

root@kali:~# md5sum pw

859b6a9be3b45262c4414bd1696ba91b pw

Hash methods supported:

md2 md4 md5 rmd160 sha

sha1

OpenSSL

Mes

sage

Has

hA

uthe

ntic

atio

n


Hashing

Algorithm (MD5)

- 128 bit signature

MD5 hash algorithm

[Path] / filename MD5 sum-----------------------------------------------------------------[C:\Windows\System32\]12520437.cpx 0a0feb9eb28bde8cd835716343b03b1412520850.cpx d69ae057cd82d04ee7d311809abefb2a8point1.wav beab165fa58ec5253185f32e124685d5aaclient.dll ad45dedfdcf69a28cbaf6a2ca84b5f1eAC3ACM.acm 59683d1e4cd0b1ad6ae32e1d627ae25fAc3audio.ax 4b87d889edf278e5fa223734a9bbe79aac3filter.cpl 10b27174d46094984e7a05f3c36acd2aaccessibilitycpl.dll ac4cecc86eeb8e1cc2e9fe022cff3ac1ACCTRES.dll 58f57f2f2133a2a77607c8ccc9a30f73acledit.dll 0bcee3f36752213d1b09d18e69383898 . . .ZSHP1020.CHM c671ed21e6d27c94a49a754e975f5e0aZSHP1020.EXE 96e45ab81a9e8da835009d0650996401ZSHP1020.HLP a076932c7b1d590d6fffab727a4abc6aZSPOOL.DLL fae332da4762c6779a3845810405924fZTAG.DLL 7ca836648e40709797d9f3bff56679eeZTAG32.DLL 27b026cc7ee3b42745c3362603fbfc52

Files/folders Hash signatures are used to

gain a signature for files, so

that they can be checked if

they have been changed.

Hash signature

[Path] / filename MD5 sum----------------------------------------------------[C:\Windows\system32\]12520437.cpx Cg/rnrKL3ozYNXFjQ7A7FA==12520850.cpx 1prgV82C0E7n0xGAmr77Kg==8point1.wav vqsWX6WOxSUxhfMuEkaF1Q==aaclient.dll rUXe39z2mijLr2osqEtfHg==AC3ACM.acm WWg9HkzQsa1q4y4dYnriXw==Ac3audio.ax S4fYie3yeOX6Ijc0qbvnmg==

Mes

sage

Has

hA

uthe

ntic

atio

n


Hashing

Algorithm (MD5)

- 128 bit signature

MD5 hash algorithm

Files/folders

Hash signatures are used to

identify that a file/certificate

has not been changed.

Hash signature

Bob

The digital

certificate has an

SHA-1 hash

thumbprint

(3f6a...89) which

will be checked,

and if the

thumbprint is

different, the

certificate will be

invalid.

Risk 4: One Password Fits All

150 million accounts

compromised

# Count Ciphertext Plaintext--------------------------------------------------------------1. 1911938 EQ7fIpT7i/Q= 1234562. 446162 j9p+HwtWWT86aMjgZFLzYg== 1234567893. 345834 L8qbAD3jl3jioxG6CatHBw== password4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe1235. 201580 j9p+HwtWWT/ioxG6CatHBw== 123456786. 130832 5djv7ZCI2ws= qwerty7. 124253 dQi0asWPYvQ= 12345678. 113884 7LqYzKVeq8I= 1111119. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop10. 82694 e6MPXQ5G6a8= 123123

1 million accounts – in

plain text. 77 million

compromised

47 million accounts

200,000 client accounts

Dropbox

compromised 2013

One account hack … leads to others

6.5 million accounts

(June 2013)


Advanced

CryptoAlice

Eve

Trent

Bob

3. Hashing and Authentication

http://asecuritysite.com/crypto

Salting

Sal

ting

Enc

rypt

ion


password

password

$1$fred$bATAk8UUH/IDAp9sd6IUv/

1

fred

bATAk8UUH/IDAp9sd6IUv/

bATAk8UUH/IDAp9sd6IUv/

fred

C:\openssl>openssl passwd -1 -salt fred password

$1$fred$bATAk8UUH/IDAp9sd6IUv/

# cat /etc/shadowroot:$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1:15651:0:99999:7:::# openssl passwd -1 -salt Etg2ExUZ redhat$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1

$ openssl versionOpenSSL 1.0.1f 6 Jan 2014

$ openssl dgst -md5 fileMD5(file)= b1946ac92492d2347c6235b4d2611184

$ openssl genrsa -out mykey.pem 1024Generating RSA private key, 1024 bit long modulus.............................................................................++++++...++++++e is 65537 (0x10001

$ openssl rsa -in mykey.pem -pubout > mykey.pubwriting RSA key

$ cat mykey.pub-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXv9HSFkpM+ZoOQcpdHBZiUwX8EzIKm0nsgjc5ZTYVaF9CMLtmKoTzep7aQX9o9nKepFt1kQ73Ta9vOPd6CX61/cgYXy2tShw0imrtFaVDFjX+7kLmc0uWbFFCoZMtJxIaXaa9SV2kARxOCTJ2uOjRTCCeXU09IJGHnIhSNJeIJQIDAQAB-----END PUBLIC KEY-----

$ cat /etc/shadowroot:$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1:15651:0:99999:7:::

$ openssl passwd -1 -salt Etg2ExUZ redhat$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1


Da

ta L

oss

Det

ecti

on

/

Pre

ven

tio

n

Authentication with

Private Key

Public key encryption … secret … identity ... trust

Bob’s Private Key

Bob’s Public Key

Alice’s Public Key

Alice’s Private Key

Eve Trent


Bob’s Private Key

Bob’s Public Key



Eve Trent



Bob’s Private Key

Bob’s Public Key



Eve Trent



Bob’s Private Key

Bob’s Public Key



Eve Trent


Hello Alice,

Wish you were

here!

- Bob

Bob.


Bob’s Private Key

Bob’s Public Key



Eve Trent


Hello Alice,

Wish you were

here!

- Bob

Bob.

Bob’s Private Key


Bob’s Private Key

Bob’s Public Key



Eve Trent

Hello Alice,

Wish you were

here!

- Bob

Bob.

Alice’s Public KeyAlice’s Public Key


Bob’s Private Key

Bob’s Public Key



Eve Trent

Hello Alice,

Wish you were

here!

- Bob

Bob.

Which key to open the message?


Bob’s Private Key

Bob’s Public Key



Eve Trent

Hello Alice,

Wish you were

here!

- Bob

Bob.

Which key to open the message?



Bob’s Private Key

Bob’s Public Key



Eve Trent

Hello Alice,

Wish you were

here!

- Bob

Bob.

Which key to we open the signature

with?


Bob’s Private Key

Bob’s Public Key



Eve Trent

Hello Alice,

Wish you were

here!

- Bob

Bob.

Bob’s Public Key


Bob’s Private Key

Bob’s Public Key



Eve Trent

Hello Alice,

Wish you were

here!

- Bob

Bob.

The

mag

ic p

rivat

e ke

yA

uthe

ntic

atio

n


Using Bob’s private key to authenticate himself

Bob

Message

MD5

Message

Encrypted

MD5

Bob’s

private

key

Bob’s

public

key

The

mag

ic p

rivat

e ke

yA

uthe

ntic

atio

n


Bob encrypts the message/hash with Alice’s public key

Bob

Message

MD5

Message

Encrypted

MD5

Bob’s

private

key

Bob’s

public

key

Alice’s

private

key

Alice’s

public

key

Encrypted

Content

Alice

The

mag

ic p

rivat

e ke

yA

uthe

ntic

atio

n


Bob encrypts the message/hash with Alice’s public key

Bob

Message

MD5

Message

Encrypted

MD5

Bob’s

private

key

Bob’s

public

key

Alice’s

private

key

Alice’s

public

key

Encrypted

Content

Alice

Encrypted

Content

The

mag

ic p

rivat

e ke

yA

uthe

ntic

atio

n


Alice decrypts the message

Bob

Message

MD5

Message

Encrypted

MD5

Bob’s

private

key

Bob’s

public

key

Alice’s

private

key

Alice’s

public

key

Encrypted

Content

Alice

Encrypted

Content

Message

Encrypted

MD5

The

mag

ic p

rivat

e ke

yA

uthe

ntic

atio

n


Alice decrypts the message

Bob

Message

MD5

Message

Encrypted

MD5

Bob’s

private

key

Bob’s

public

key

Encrypted

Content

Alice

Encrypted

Content

Message

Encrypted

MD5

MD5 (message)

MD5 (result)Alice compares the MD5

values. If they are the

same … Bob sent the

message


Dat

a L

oss

Det

ecti

on

/

Pre

ven

tio

n

Digital Certificates

Identity on the Internet

Eve

Identifies it is trusted(Digital Certificate)

Bob Trap-door

Keeps communications secure (encryption)

Trent

Dig

ital C

ert.

Aut

hent

icat

ion


Bob

Digital certificates should only be distributed with the public key

This certificate has both

public and private keyThis certificate has only

the public key

Dig

ital C

ert.

Aut

hent

icat

ion


Bob

Digital certificates should only be distributed with the public key

-----BEGIN CERTIFICATE-----MIID2zCCA4WgAwIBAgIKWHROcQAAAABEujANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJHQjERMA8GA1UEChMIQXNjZXJ0aWExJjAkBgNVBAsTHUNsYXNzIDEgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1Bc2NlcnRpYSBDQSAxMB4XDTA2MTIxNzIxMDQ0OVoXDTA3MTIxNzIxMTQ0OVowgZ8xJjAkBgkqhkiG9w0BCQEWF3cuYnVjaGFuYW5AbmFwaWVyLmFjLnVrMQswCQYDVQQGEwJVSzEQMA4GA1UECBMHTG90aGlhbjESMBAGA1UEBxMJRWRpbmJ1cmdoMRowGAYDVQQKExFOYXBpZXIgVW5pdmVyc2l0eTELMAkGA1UECxMCSVQxGTAXBgNVBAMTEFdpbGxpYW0gQnVjaGFuYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvCFETyJL8VXAhbEMRzQI0gM81ci75nMmsOamjZcb6fhGeMgoWmYcoscmQkrVjAKnoS+4mXznhcy3mdOb+sZbwOVaXM5FOxhSrV+Q86hsK8cDc+1sqyJ8TQtufuDNs0NfNY6tR6q7CgGqQ8/VjSxNqzK39iLUF1ahhyCet/ab6O/qWzL4iVsz2nmL4dyAuyilhLPlVbppHGdE6sDQXWYd0CpfVZN7pauD5fqBESfO6bUkCieI47AzRMQj3kHuDt7MexVW7aoX+nXLP4wn7IamaxasFQvhdOKyCZhYs82JQDGatXRCqkklztmZW5i6GkPsE7XVuX265WJQ5afhp2hYlAgMBAAGjggEXMIIBEzAdBgNVHQ4EFgQUzyZ/YcCJwT5opPHLPlcQKkOlkJwwYwYDVR0jBFwwWoAUlP5Zh0V700k6CorvRMWB9ifVkBmhP6Q9MDsxCzAJBgNVBAYTAkdCMREwDwYDVQQKEwhBc2NlcnRpYTEZMBcGA1UEAxMQQXNjZXJ0aWEgUm9vdCBDQYIBDTBNBgNVHR8ERjBEMEKgQKA+hjxodHRwOi8vd3d3LmFzY2VydGlhLmNvbS9PbmxpbmVDQS9jcmxzL0FzY2VydGlhQ0ExL2NsYXNzMS5jcmwwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzAChiJodHRwOi8vb2NzcC5nbG9iYWx0cnVzdGZpbmRlci5jb20vMA0GCSqGSIb3DQEBBQUAA0EATOCwGJ1tS0kTlupmpjkMl8IdxMmD5WuhszjBlGsMhPxIH+vXhL9yaOw+Prpzy7ajS4/3xXU8vRANhyU9yU4qDA==-----END CERTIFICATE-----

P7b format

The main certificate

formats include:

P7b. Text format

PFX/P12. Binary.

SST. Binary.

Dig

ital C

ert.

Aut

hent

icat

ion


Encrypting messages to Alice

Communications


BobAlice

Eve

Hello

H&$d.

Hello

B

C

D

A

A. Bob creates the message.

B. Bob encrypts with Alice’s public key

and sends Alice the encrypted message

C. Alice decrypts with her private key

D. Alice receives the message

Alice sends

her digital

certificate with

her public key

on it

Alice’s private

key

Dig

ital C

ert.

Aut

hent

icat

ion


Authenticating Bob

Communications

ChannelEncryption/

Decryption

Encryption/

Decryption

BobAlice

Hello

H&$d.

Hello

B

C

D

A

Bob sends his

Digital certificate

to authenticate

himself

Alice’s private

key

Hash

Hash

Alice checks the hash

using Bob’s public key

from his certificate

Bob’s private

key


Advanced

CryptoAlice

Eve

Trent

Bob

5. Disk Encryption

http://asecuritysite.com/crypto

Introduction

EF

SD

isk

Enc

rypt

ion


EFS

EFS – Drive or

Folder encryption

Encryption

key

Public key

Header

Private key

CER file – Contains

certificate.

PFX – Contains

certificate and private

key.

Mar

ket

Dis

k E

ncry

ptio

n


Disk Encryption

Microsoft

Bitlocker

TrueCrypt

Axanum

(.AXX)

McAfee Endpoint

Encryption

Encryption Software

Check Point Full

Disk Encryption

Software

Sophos SafeGuard

Disk Encryption

File/Folder

Encryption

Disk

Encryption

FIP

S 1

40-2

Dis

k E

ncry

ptio

n


Disk Encryption

Lowest level with limited requirements.

FIPS (Federal

Information Processing

Standards) 140-2 Level

1

Physical tamper-resistance.

Identity-based authentication.

Physical or logical separation between the

interfaces by which where the key security

parameters are entered or passed.

Physical tamper-evidence.

Role-based authentication.

Physical security requirements more stringent.

Robustness against environmental attacks.

FIPS 140-2 Level 2

FIPS 140-2 Level 3

FIPS 140-2 Level 4

Role access (Admin)

Identity access (Fred)

Isolation

barrier

NIST publish 140 publication

series for cryptography

FIPS 140-2 May 2001

FIPS 140-3 Software

limited to L1/L2.

O/S must be

compliant for Level 2

and above

Acc

ess

Dis

k E

ncry

ptio

n


Disk Encryption

Password or

passphrase

OTP device such as

an RSA tokenBiometric device

(eg fingerprint

reader) with Trusted

Platform Module

which holds the

actual encryption key

NapI5r123$File/Folder

Encryption

Disk

Encryption

Multi-factor

authentication uses

two or more of

these

USB drive with

encryption key

Acc

ess

Dis

k E

ncry

ptio

n


Disk Encryption

Encryption Layer

Directory

structure

Disk Storage Cloud

Storage

API/DLL

Integration

(c:, d:, etc)

File Image

Non-encrypted

In memory

Non-encrypted in transit

Non-encrypted in storage

Disk Image


Da

ta L

oss

Det

ecti

on

/

Pre

ven

tio

n

TrueCrypt

Tru

eCry

ptD

isk

Enc

rypt

ion


Disk Encryption

PBKDF2

(Password-

based Key

Derivation

Function) RFC

2898

Header (contains

material keys)

Encryption: AES, Serpent,

Twofish

Authentication: RIPEMD-160,

SHA-512, Whirlpool

Password

Salt (512-bit)

DK = PBKDF2(PRF, Password,Salt, c, dkLen)

DK = PBKDF2(HMAC-SHA1, passphase, ssid,4096,256)

Header Key

(dkLen)

TrueCryptAdvantages: Open-source. Windows/Linux/OS X. Free

Disadvantages: If you lose the pass phrase – almost

impossible to recover. Current support is patchy.

Serpent. Ross Anderson et al. 1998. 256-bit key.

128-bit block (one of the AES finalists).

Twofish. Bruce Schneier et all. 1998. 256-bit key.

128-bit block (one of the AES finalists).

AES. FIPS-approved (Rijndael). 1998. 256-bit key.

128-bit block.

Serpent AES

AES-Serpent

TC

Dis

k E

ncry

ptio

n


TrueCrypt


Dat

a L

oss

Det

ecti

on

/

Pre

ven

tio

n

Detecting Enc/Comp

Det

ectin

gD

isk

Enc

rypt

ion


Detecting compression/enc

File Compression

PKZIP: 50 4B 03 04 [PK]

GZIP: 1F 8B 08

Tar: 75 73 74 61 72

Zlib: 78 01, 78 9C or 78 DA

[00000000] 50 4B 03 04 14 00 02 00 08 00 80 9D 6C 39 DA 4D PK..........l9.M[00000016] B8 0F 90 01 00 00 27 06 00 00 09 00 00 00 61 6E ......'.......an[00000032] 69 6D 2E 78 61 6D 6C ED 54 D1 4E 83 30 14 7D 37 im.xaml.T.N.0.}7[00000048] F1 1F 9A 7E 00 C5 69 4C 24 B0 C4 CD A9 0F 6A 96 ...~..iL$.....j.[00000064] 8D 64 CF 15 EE A0 B1 B4 A4 2D 8A 7F 6F 2D 6C 63 .d.......-..o-lc[00000080] CA 14 13 1F 7C 90 A7 02 E7 9C 7B EF 39 E9 0D 57 ....|.....{.9..W[00000096] 4C A4 F2 05 D5 C1 94 53 AD 23 BC 2A D7 97 65 C9 L......S.#.*..e.

File Encryption 47 c3 dd 4e 94 15 ce af 76 d6 94 9d 5d 82 88 9934 d3 db 0d e4 ae af 57 e3 87 62 fd 14 7e f5 7d02 7a 67 40 2b 2c 71 41 24 92 9d 54 1c 75 bb 540b f8 95 a9 92 d7 33 ad 2f 00 cb 8c 9f 90 66 49b2 bd 0f 90 52 e3 aa 0a 59 6b 78 65 1f 5b 35 190f e3 32 ed c3 f0 04 88 67 51 33 cb 03 40 9f 3b


Da

ta L

oss

Det

ecti

on

/

Pre

ven

tio

n

SSL/TLS

Sta

ckT

unne

lling


Network protocols

Cables, Signals

Ethernet,

PPP, HDLC

IP, IPX, ARP,

ICMP

TCP, UDP, SPX

HTTP, FTP

Telnet, POP-3

IMAP, SMTP

Physical

Data Link

Network

Transport

Application

Sta

ckT

unne

lling


Network protocols

Cables, Signals

Ethernet,

PPP, HDLC

IP, IPX, ARP,

ICMP

TCP, UDP, SPX

HTTP, FTP

Telnet, POP-3

IMAP, SMTP

Physical

Data Link

Network

Transport

Application

Physical

Data Link

Network

Transport

Application

SSL

HTTPS (HTTP + SSL)

FTP (FTP+SSL)

SSH (Telnet+SSL)

Ports

HTTP 80 HTTPs 443

TELNET 23 SSH 22

SMTP 25 SMTPs 465

POP-3 110 POP-3s 995

SSL 1.0

SSL 2.0

SSL 3.0 [0x0300]

SSL 3.1 (TLS 1.0) [0x0301]

TLS 1.1 and 1.2 [0x0302]

Secure Socket Layer

Transport Layer Socket

Sta

ckT

unne

lling


TLS

Physical

Data Link

Network

Transport

Application

SSL

TCP [SYN] to Port 443

TCP [SYN,ACK] from Port 443

TCP [ACK] to Port 443

Client Hello (Start of Handshake)

Sta

ckT

unne

lling


TLS

Client Hello192.168.0.20

Server Hello

66.211.169.66

Sta

ckT

unne

lling


TLS

Client Hello192.168.0.20

Server Hello

66.211.169.66

Client Key Exchange

Public key

TC

Dis

k E

ncry

ptio

n


TrueCrypt

billbuchanan@Bills-MacBook-Pro:~$ openssl s_client -connect www.google.com:443CONNECTED(00000003)depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CAverify error:num=20:unable to get local issuer certificateverify return:0---Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority---Server certificate-----BEGIN CERTIFICATE-----MIIEdjCCA16gAwIBAgIISVyALWN+akUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE---SOx4I5L0D0jZYqKfJuImGcFwdIETq0EpCmkhJfGNHjVdzC/h/T61TmaY-----END CERTIFICATE-----subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.comissuer=/C=US/O=Google Inc/CN=Google Internet Authority G2---No client certificate CA names sent---SSL handshake has read 3719 bytes and written 446 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONESSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 9D92CEC32FA9F86C6D902081EE186C4FC68234FFF7B903D6621A86C98092BD51 Session-ID-ctx: Master-Key: B8A14DB1D3021E80B53F30EA94D2EEA155A995B926879B08E3D971EB16873D16F62929899E2FA368D374716DB14A412B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - fa 8d cb 50 53 3d 99 c8-b4 11 20 0c ca 53 e9 bd ...PS=.... ..S.. 0010 - f8 8e 15 14 ec 82 c1 56-ab d9 9b 36 c2 56 b0 db .......V...6.V.. 0020 - 2b d4 07 56 a5 02 ac 1f-34 fa 72 21 fd 7c ba 97 +..V....4.r!.|.. 0030 - 2a ae e9 20 04 ef 8a e5-a0 57 28 3a c7 67 04 ac *.. .....W(:.g.. 0040 - 7d 14 bf b0 6d 96 9f cb-eb 0c 0a 40 07 5f a6 84 }...m......@._.. 0050 - e2 3b 98 0b e7 f4 b1 e1-04 be 15 6b 36 a5 57 b3 .;.........k6.W. 0060 - 11 98 f2 f4 20 fe b5 7f-6b 10 4e 7a f9 b5 6d 02 .... ...k.Nz..m. 0070 - 30 ec 07 e6 f0 c0 49 81-31 6b 30 f9 b0 d3 c4 25 0.....I.1k0....% 0080 - 62 f3 92 33 e8 25 cc 22-32 84 54 e6 0e 76 b1 45 b..3.%."2.T..v.E 0090 - 3a 60 83 cf 1b b0 97 7d-05 03 47 20 29 12 d9 8d :`.....}..G )... 00a0 - 6f 5a b4 f2 oZ..

Start Time: 1413136351 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

TLS_RSA_WITH_AES_256_CBC_SHA256 Key: RSA Enc: AES_256_CBC Hash: SHA256TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Key ex: DH_DSS Enc: 3DES_EDE_CBC Hash: SHA

Client Hello:

Versions:

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_RC4_128_SHA

(rfc5246)

Server Hello:

Version:


Key Exchange:

Public key (RSA)

Encryption: RC4

Hash: 128-bit

SHA (SHA-1)

SS

LT

unne

lling


SSL Tunnelling

Client Hello:

Versions:


(rfc5246)

Server Hello:

Version:


Key Exchange:

Public key (RSA)

Encryption: RC4

Hash: 128-bit

SHA (SHA-1)

Session key

Public key

Private key

Tunnel created (RC4, Hash: SHA-1)


Data Loss Prevention

4. Encryption Public/private key.

Hashing.

Digital Certificates.

Disk Encryption.

Tunnels.

http://asecuritysite.com/dlp

Date post:	17-Oct-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

4 . Encryption Data Loss Prevention - Asecuritysite · Data Loss Prevention 4 . Encryption x Public...

Documents