COMP3371COMP3371Cyber SecurityCyber Security

Richard HensonRichard Henson

University of WorcesterUniversity of Worcester

October 2015October 2015

Week 3: Encryption and Week 3: Encryption and Technical ControlsTechnical Controls

Objectives:Objectives:Explain why, how, and to what Explain why, how, and to what

standard an organisation can set up standard an organisation can set up controls/ISMScontrols/ISMS

Compare security of most common Compare security of most common types of data transmissiontypes of data transmission

Explain encryption and decryptionExplain encryption and decryptionContrast between symmetric keys Contrast between symmetric keys

and asymmetric keysand asymmetric keys

Developing an Information Developing an Information Security Management Security Management

SystemSystem Each organisation is different! No Each organisation is different! No

template ISMS possibletemplate ISMS possible

ISO27001 standard lists over 100 ISO27001 standard lists over 100 possible controlspossible controlshow many are actually needed? how many are actually needed?

» depends on an organisation’s processesdepends on an organisation’s processes

for each control not usedfor each control not used» non-use needs to be justified…non-use needs to be justified…

An ISMS that is “fit for An ISMS that is “fit for purpose”purpose”

Analysis needs to acknowledge all aspects Analysis needs to acknowledge all aspects of how data is managedof how data is managed requires an understanding of processes and requires an understanding of processes and

associated dataassociated data

Risk assessment required to determine Risk assessment required to determine where controls are neededwhere controls are needed ISO27001 assumes all controls neededISO27001 assumes all controls needed no point spending money on controls where no point spending money on controls where

they are not needed but exemptions need they are not needed but exemptions need justifying…justifying…

A Security Controls approach A Security Controls approach light on ISMS: PCI DSSlight on ISMS: PCI DSS

System devised by Credit Card Companies System devised by Credit Card Companies (i.e. banks…)(i.e. banks…) https://www.pcisecuritystandards.org/

Guidelines for a number of years…Guidelines for a number of years… Now with v3 a sting in the tail for the SMENow with v3 a sting in the tail for the SME

heavy fines possibleheavy fines possible can be refused business merchant facilities…can be refused business merchant facilities…

Will affect small businesses WORLDWIDE Will affect small businesses WORLDWIDE selling online directly to consumersselling online directly to consumers

Requirements for PCI DSS Requirements for PCI DSS compliance? (1)compliance? (1)

12 controls (11 Technical)12 controls (11 Technical) Install and maintain a firewall configuration Install and maintain a firewall configuration

to protect cardholder datato protect cardholder data Do not use vendor-supplied defaults for Do not use vendor-supplied defaults for

system passwords and other security system passwords and other security parametersparameters

Protect stored cardholder dataProtect stored cardholder data Encrypt transmission of cardholder data Encrypt transmission of cardholder data

across open, public networks across open, public networks Use and regularly update anti-virus software Use and regularly update anti-virus software

or programsor programs

What is needed for PCI What is needed for PCI DSS compliance? (2)DSS compliance? (2)

Develop and maintain secure systems and applications Develop and maintain secure systems and applications

Restrict access to cardholder data by business need-to-Restrict access to cardholder data by business need-to-know know

Assign a unique ID to each person with computer access Assign a unique ID to each person with computer access

Track and monitor all access to network resources and Track and monitor all access to network resources and cardholder data cardholder data

Regularly test security systems and processes Regularly test security systems and processes

Maintain a policy that addresses information Maintain a policy that addresses information security for employees and contractorssecurity for employees and contractors

PCI DSS issuesPCI DSS issues

Is it realistic?Is it realistic? Is it essential?Is it essential? How can it be policed?How can it be policed?

Discussion in groups…Discussion in groups…

IASME & Cyber EssentialsIASME & Cyber Essentials

IASME uses principles of ISMS and IASME uses principles of ISMS and like ISO27001 uses 100+ controls… like ISO27001 uses 100+ controls… but designed to be more SME but designed to be more SME friendlyfriendly

Cyber Essentials requires only 5 Cyber Essentials requires only 5 controls… all essentially technicalcontrols… all essentially technicalCyber Essentials now a minimum for Cyber Essentials now a minimum for

government contractsgovernment contractsuseful starting point? No IS policy!useful starting point? No IS policy!

Useful Technical Knowledge Useful Technical Knowledge (covered in level 1 & 2 (covered in level 1 & 2

modules)modules) Client-server networkingClient-server networking The Seven OSI software layers & The Seven OSI software layers &

the TCP/IP protocol stackthe TCP/IP protocol stack Web servers and browsersWeb servers and browsers The importance of updatesThe importance of updates How firewalls fit in with the How firewalls fit in with the

above…above…

Security of Data on the Security of Data on the move: Internal networksmove: Internal networks

Most organisational computers regularly Most organisational computers regularly interchange datainterchange data

Data could in theory be copied (although Data could in theory be copied (although not destroyed) by being intercepted:not destroyed) by being intercepted: as it passes between computers through use as it passes between computers through use

of e/m waves (easy)of e/m waves (easy) in copper cables (difficult)in copper cables (difficult) In optical fibre cables (very difficult)In optical fibre cables (very difficult)

The organisation therefore needs to The organisation therefore needs to vigilant…vigilant…

Security and copper Security and copper cablescables

UTP (Unshielded Twisted Pair) cable is UTP (Unshielded Twisted Pair) cable is cheap, but not totally secure:cheap, but not totally secure: electricity passing through a cable creates a electricity passing through a cable creates a

magnetic field…magnetic field… can then be intercepted and used to can then be intercepted and used to

recreate the original signal…recreate the original signal…

Shielding stops the magnetic field Shielding stops the magnetic field spreading outspreading out STP (Shielded Twisted Pair) cabling STP (Shielded Twisted Pair) cabling

available but more expensive…available but more expensive…

Security, cost and Security, cost and Fibre Optic CablesFibre Optic Cables

Much more secure than even shielded Much more secure than even shielded coppercopper digital data transmitted as a high intensity digital data transmitted as a high intensity

light beamlight beam no associated magnetic field; data can’t be no associated magnetic field; data can’t be

“tapped”“tapped” Can carry much more data than twisted Can carry much more data than twisted

pairpair but:but:

» cost… of cables… of installation…cost… of cables… of installation…

Which to choose, UTP, STP, optical fibre?Which to choose, UTP, STP, optical fibre? cost v risk balancing actcost v risk balancing act

Security and Radio WavesSecurity and Radio Waves System easy to installSystem easy to install

no cabling needed, just signal boostersno cabling needed, just signal boosters

BUT… without encryption & BUT… without encryption & authentication, not secure at all!authentication, not secure at all! can be received by anyone within range and can be received by anyone within range and

with the right equipmentwith the right equipment especially easy to pick up if transmitted as especially easy to pick up if transmitted as

“fixed spectrum”“fixed spectrum”» ““Spread spectrum” radio waves can only be Spread spectrum” radio waves can only be

picked up by equipment that can follow the picked up by equipment that can follow the changes in frequencychanges in frequency

such equipment MUCH more expensive…such equipment MUCH more expensive…

Security and Security and Network HardwareNetwork Hardware

Very small organisations may use Very small organisations may use peer-peer networking and peer-peer networking and cabling/wirelesscabling/wireless same dangers…same dangers…

Use intelligent hubs, switches, and a Use intelligent hubs, switches, and a router to connect everything together router to connect everything together and link to Internetand link to Internet data will be stored on these devices data will be stored on these devices

before forwardingbefore forwarding plenty of hacks started by compromising a plenty of hacks started by compromising a

router!router!

Standard Internet Standard Internet Protocols and SecurityProtocols and Security

Early Internet:Early Internet: users military personnel, research centre admin, etc. users military personnel, research centre admin, etc. all security vettedall security vetted protocols not designed with security in mindprotocols not designed with security in mind

» about getting data safely & reliably from one place to about getting data safely & reliably from one place to anotheranother

OSI model ordered protocols into a 7-layer OSI model ordered protocols into a 7-layer stack:stack: based on TCP and IPbased on TCP and IP

» user system security already built in at the session layeruser system security already built in at the session layer» no inherent security for data on the moveno inherent security for data on the move

Network-NetworkNetwork-Network Most networks now use TCP/IP for Internet Most networks now use TCP/IP for Internet

connectivityconnectivity Any intelligent device with an IP address Any intelligent device with an IP address

and connected to the Internet theoretically and connected to the Internet theoretically visible across the network/Internetvisible across the network/Internet otherwise, packets couldn’t be navigated to it!otherwise, packets couldn’t be navigated to it!

Data on such a device could be:Data on such a device could be: located using its IP addresslocated using its IP address copied to another destination using a remote copied to another destination using a remote

computer and an appropriate network protocol computer and an appropriate network protocol (e.g. NFS – network file system, part of the (e.g. NFS – network file system, part of the TCP/IP suite))TCP/IP suite))

It really is as simple as that!!!It really is as simple as that!!!

Copying, Changing, or Copying, Changing, or Deleting Data on a Deleting Data on a

networked computernetworked computer Data could be tapped in exactly the same Data could be tapped in exactly the same

way on any Internet computerway on any Internet computer must have an IP address to participate on the must have an IP address to participate on the

InternetInternet

packets going to that computer have a packets going to that computer have a destination IP address in the header, and destination IP address in the header, and headers can easily be readheaders can easily be read

NFS can be used to manage data remotely on NFS can be used to manage data remotely on that computer – which could include copying that computer – which could include copying or (perhaps worse) deleting that data, or even or (perhaps worse) deleting that data, or even BOTHBOTH

Technologies for Technologies for Implementing Security Implementing Security

ControlsControls The rest of this session focuses on The rest of this session focuses on

ensuring the security of data “on ensuring the security of data “on the move”…the move”…through cabling systemsthrough cabling systemsin radio wavesin radio wavesvia human transportation systems via human transportation systems

stored on digital mediastored on digital media» hard disks & CDshard disks & CDs» digital backup tapesdigital backup tapes» USB sticks…USB sticks…

Client-Server Network: do’s and Client-Server Network: do’s and don'ts for administrators don'ts for administrators

Only allow authorised (and TRUSTED) users to Only allow authorised (and TRUSTED) users to gain access to the networkgain access to the network ensure users are always properly authenticatedensure users are always properly authenticated

Only allow network administrators to have full Only allow network administrators to have full accessaccess

Monitor the network continually to provide alerts Monitor the network continually to provide alerts that unauthorised access is being soughtthat unauthorised access is being sought

Encrypt data that will be sent through UTP cables Encrypt data that will be sent through UTP cables and/or held on computers that are connected to and/or held on computers that are connected to the Internetthe Internet

When using the www, use secure versions of When using the www, use secure versions of network protocols and/or tunnelling protocols to network protocols and/or tunnelling protocols to encapsulate and hide dataencapsulate and hide data

The Virtual Private NetworkThe Virtual Private Network

Secure sending of data through the InternetSecure sending of data through the Internet

Only use a restricted and very secure set of Only use a restricted and very secure set of Internet routersInternet routers

No IP address broadcasting, because all packets No IP address broadcasting, because all packets use the same routeuse the same route

IP tunnelling protocol encapsulates dataIP tunnelling protocol encapsulates data» normal Internet users will therefore not be able to see normal Internet users will therefore not be able to see

the sending, receiving, or intermediate IP addressesthe sending, receiving, or intermediate IP addresses Data sent is encryptedData sent is encrypted

Potential hackers don’t get a look in!Potential hackers don’t get a look in!

Encyption/DecryptionEncyption/Decryption Technique of changing digital data Technique of changing digital data

in a mathematical reversible way in a mathematical reversible way Makes it impossible to get at the Makes it impossible to get at the

information… data representing it information… data representing it scrambledscrambled

Coding data not new…Coding data not new…been happening for millenniabeen happening for millenniamany clever techniques involvedmany clever techniques involvedEncryption studies - cryptographyEncryption studies - cryptography

What is Cryptography?What is Cryptography? ““The safe securing, storing, and transmitting The safe securing, storing, and transmitting

of sensitive information”of sensitive information”

Purpose: Purpose: conceal sensitive information from unauthorised conceal sensitive information from unauthorised

personspersons

Outlines protocols, practices, procedures to Outlines protocols, practices, procedures to build components of a build components of a cryptosystem cryptosystem including…including… authenticity (proof of ownership)authenticity (proof of ownership) integrity (data not tampered with in any way)integrity (data not tampered with in any way)

What is a Cryptosystem?What is a Cryptosystem?

Well?....Well?....

OSI layers and OSI layers and cryptosystemcryptosystem

Encryption level depends Encryption level depends on:on: circumstancescircumstances riskrisk value of informationvalue of information

could be layer 1could be layer 1 e.g. electronically, in e.g. electronically, in

communications equipmentcommunications equipment could be layer 7…could be layer 7…

encrypted directly from/to encrypted directly from/to the screenthe screen

Layer 7

Layer 1

screen

hardware

software

Key Escrow & RecoveryKey Escrow & Recovery Law enforcement agencies can Law enforcement agencies can

intervene to decode encypted dataintervene to decode encypted data under a court order in pursuit of criminal evidence or activityunder a court order in pursuit of criminal evidence or activity

Escrow: Escrow: system of checks and balances to ensure that system of checks and balances to ensure that

privacy rights are not infringed where agencies privacy rights are not infringed where agencies need to get hold of encrypted informationneed to get hold of encrypted information

separate agencies keep complementary separate agencies keep complementary components of the key system so no entity components of the key system so no entity possesses a usable keypossesses a usable key

Email data and Email data and EncryptionEncryption

As discussed earlier, sensitive data needs As discussed earlier, sensitive data needs protecting…protecting… Internet designed to be an “open” systemInternet designed to be an “open” system IDs of devices based on IP addressIDs of devices based on IP address

Data at rest or moving round the Internet Data at rest or moving round the Internet could be intercepted by:could be intercepted by: someone with a good knowledge of TCP/IPsomeone with a good knowledge of TCP/IP any IT literate person with the appropriate any IT literate person with the appropriate

softwaresoftware This person could be anywhere in the This person could be anywhere in the

world!world!

How does Encryption How does Encryption work?work?

Unencrypted data sent e.g. in forms or Unencrypted data sent e.g. in forms or email messages over the Internet email messages over the Internet usually a sequence of ASCII codesusually a sequence of ASCII codes

ASCII code generated at keyboard by ASCII code generated at keyboard by converting a selected keyboard character converting a selected keyboard character into a particular binary numberinto a particular binary number

intercepted ASCII codes not secret; very intercepted ASCII codes not secret; very easily converted back to texteasily converted back to text

Encryption of ASCII dataEncryption of ASCII data

Encryption puts further coding onto each Encryption puts further coding onto each ASCII character in some reversible way ASCII character in some reversible way before it is sent. Requires…before it is sent. Requires…

a coding method (often a mathematical a coding method (often a mathematical operation)operation)

a numerical value used with the coding methoda numerical value used with the coding method

The ASCII codes can always be recovered by The ASCII codes can always be recovered by someone who knows the encryption methodsomeone who knows the encryption method

Simple Encryption Simple Encryption ExampleExample

AlgorithmAlgorithm based on a mathematical based on a mathematical operation such as ADDoperation such as ADDkey based on a numerical digit (e.g 5)key based on a numerical digit (e.g 5)

DataData represented by an ASCII code represented by an ASCII code

Algorithm + key produce Algorithm + key produce encrypted encrypted data data

Using EncryptionUsing Encryption

The key must be kept secretThe key must be kept secretanyone with access to the key and the anyone with access to the key and the

algorithm can decrypt the encrypted algorithm can decrypt the encrypted data data

BOTH of:BOTH of:coding methodcoding methodkey used to produce cipher text key used to produce cipher text

needed to decryptneeded to decrypt

DiagramDiagram – single key – single key encryptionencryption

User sends message

via server

server

key

Data is transmitted to

another server

key

Message is coded

Message is decoded

Message is received

Simple example of an Simple example of an Encryption MethodEncryption Method

Method of encryption – add 5 to each Method of encryption – add 5 to each ASCII code (this would be the key)ASCII code (this would be the key) plain text = HELLO (ASCII codes 48 45 4B plain text = HELLO (ASCII codes 48 45 4B

4B 4F)4B 4F) cipher text would be MJQQT (ASCII codes 4D cipher text would be MJQQT (ASCII codes 4D

4A 50 50 54)4A 50 50 54) Getting the original data back would Getting the original data back would

mean subtracting 5 from each ASCII mean subtracting 5 from each ASCII character – very easy to anyone with character – very easy to anyone with access to the keyaccess to the key

Effectiveness of Effectiveness of EncryptionEncryption

Only effective if:Only effective if: either the key remains secreteither the key remains secret or the algorithm remains secretor the algorithm remains secret

WWII: Germans thought they had an WWII: Germans thought they had an encryption method that was impossible encryption method that was impossible to decipherto decipher

With the efforts of the Mathematicians With the efforts of the Mathematicians at Bletchley Park, the key and algorithm at Bletchley Park, the key and algorithm were decipheredwere deciphered

Access to Encrypted DataAccess to Encrypted Data

Stored, encrypted file

NTFS

EFS enabled

File system that supports encryption

Authorised User

Unauthorised User

Dataencrypted

Access Denied

Fileaccessed

“MJQQT”

“HELLO”

Encryption in PracticeEncryption in Practice Many techniques have been developed Many techniques have been developed

Examples:Examples: DES (Data Encryption Standard)DES (Data Encryption Standard) IDEA (ID Encryption Algorithm)IDEA (ID Encryption Algorithm) RSA (Rivest, Shamir, Adleman)RSA (Rivest, Shamir, Adleman) Diffie-HellmannDiffie-Hellmann

Classified into two types:Classified into two types: Symmetric KeySymmetric Key Asymmetric KeyAsymmetric Key

Symmetric EncryptionSymmetric Encryption SSender and receiver share a single, ender and receiver share a single,

common keycommon key – known as a – known as a symmetric symmetric keykey

UUsed sed both both to encrypt and decrypt the to encrypt and decrypt the messagemessage

Advantages: Advantages: simpler and faster than simpler and faster than other systemsother systems

Disadvantages:Disadvantages: the two parties must the two parties must need toneed to exchange the exchange the

key in a secure waykey in a secure way the sender cannot easily be authenticatedthe sender cannot easily be authenticated

DES – an example of DES – an example of symmetric encryptionsymmetric encryption

IBM/US gov, 1974-7; IBM/US gov, 1974-7; still popularstill popular 56-bit encryption working on 64-bit blocks of data56-bit encryption working on 64-bit blocks of data

However, in view of recent research, clearly However, in view of recent research, clearly inadequate for really secure encryptioninadequate for really secure encryption ““Using P2P architecture and over 100,000 Using P2P architecture and over 100,000

participants (using only idle CPU time), participants (using only idle CPU time), distributed.net was able to test 245 billion keys distributed.net was able to test 245 billion keys per second to break the 56 bit DES encryption per second to break the 56 bit DES encryption algorithm in less than 24 hours (22 hours and 15 algorithm in less than 24 hours (22 hours and 15 minutes).”minutes).”

What levels of encryption What levels of encryption are available?are available?

The more complex the key, the The more complex the key, the more difficult the encryption more difficult the encryption method is to deciphermethod is to deciphera single 40-digit key can be a single 40-digit key can be

mathematically deduced very mathematically deduced very quickly using a computerquickly using a computer» known as WEAK encryptionknown as WEAK encryption

an equivalent 128-digit key would an equivalent 128-digit key would take much longer to “crack”take much longer to “crack”» known as STRONG encryptionknown as STRONG encryption

Making Encryption as Making Encryption as Effective as PossibleEffective as Possible

It makes sense to use 128-digit key It makes sense to use 128-digit key encryption if possible….encryption if possible….

However, with commercial products there However, with commercial products there may be trade offs…may be trade offs… e.g. Verisign 40-bit SSLe.g. Verisign 40-bit SSL

» actually 128-bit within USactually 128-bit within US» 40-bit for any communications that go outside 40-bit for any communications that go outside

US borders…US borders… e.g. e.g. Verisign Global Server SSLVerisign Global Server SSL

» ““the world’s strongest encryption”the world’s strongest encryption”» standard for large-scale online merchants, standard for large-scale online merchants,

banks, brokerages, health care organisations banks, brokerages, health care organisations and insurance companies worldwideand insurance companies worldwide

Strong encryption may cost a little moreStrong encryption may cost a little more Is the extra expense going to be justified?Is the extra expense going to be justified?

Breaking an Breaking an Encryption TechniqueEncryption Technique

Usually achieved with the aid of very Usually achieved with the aid of very powerful computerspowerful computers

The more powerful the computer, the The more powerful the computer, the more likely that the key can be more likely that the key can be mathematically deducedmathematically deduced

Until fairly recently, a 128-bit encryption Until fairly recently, a 128-bit encryption key would have been considered to be key would have been considered to be secure secure

However, a research team have now However, a research team have now succeeded in breaking 128 bit encryption succeeded in breaking 128 bit encryption in seconds, using a supercomputer…in seconds, using a supercomputer…

Secure Keys for Today and Secure Keys for Today and Tomorrow…Tomorrow…

256-bit encryption is probably now a 256-bit encryption is probably now a minimum for single key encryptionminimum for single key encryption but only a matter of time…but only a matter of time…

512-bit encryption is currently used by 512-bit encryption is currently used by financial institutions to transfer funds financial institutions to transfer funds electronically via the Internetelectronically via the Internet again, only a matter of time before even again, only a matter of time before even

this can be cracked…this can be cracked… Solution - 1024 bit keys?Solution - 1024 bit keys?