data-in-motion, data-at-rest and gpg
TRANSCRIPT
Data-in-Motion
and
Data-at-RestANKIT P. MEHTA
Main Topics
Data-in-Motion
Data-at-Rest
GnuPG
Data-in-MotionINTRODUCTION TO DATA-IN-MOTION
ADVANTAGES OF DATA-IN-MOTION
ATTACKS ON DATA-IN-MOTION
PREVENTION OF DATA-IN-MOTION
Introduction to Data-in-Motion
Data in motion is data that is being transmitted over a network
Data as it is in transit
Data that is exiting the network via email, web, or other Internet protocols
Data being manipulated by an application
The collection process for data in motion is similar to that of data at
rest; however, the difference lies in the analytics. In this case, the
analytics occur in real-time as the event happens.
Introduction to Data-in-Motion
What can be called Data-in-Motion ?
o Sending an e-mail
o Backing up your laptop data to a central server
o Uploading or downloading files to file-hosting sites
o When connecting/logging into your on-line e-mail account--such as
gmail--at Starbucks; etc.
Advantages of Data-In-Motion
Data in Motion represents a compelling opportunity for
organizations in a variety of industries that rely on extracting value
from data before it is stored, including:
o Retail
o Healthcare
o Manufacturing
o Energy production
o Service provider market sectors
o Internet of Things
Attacks on Data-in-Motion
The biggest threats to data in motion are interception and alteration
Vulnerable to attackers because the attacker does not have to be
near the computer in which the data is being stored rather they only
have to be somewhere along the path
Preventive Measures for those
Attacks
Encrypting the network session ensures a higher security level for
data in motion
Encryption tunnels can protect data along the path of
communications
Virtual Private Networks (VPN)
Secure Shell (SSH)
Advanced Encryption Standard (AES)
Use mechanisms such as Secure Socket Layer (SSL) to encrypt
messages
Use Gnu Privacy Guard (GnuPG) for encrypting messages
Data-at-RestINTRODUCTION TO DATA-AT-REST
ATTACKS ON DATA-AT-REST
VARIOUS PREVENTIVE MECHANISMS
Introduction to Data-at-Rest
Refers to data that has been collected from various sources and is
then analysed after the event occurs
Data stored in persistent storage
Definition:
All data in storage or that which resides in temporary memory. Data at
rest is not limited to archived data, data which is not accessed or
changed frequently, files stored on hard drives, USB thumb drives, files
stored on backup tape and disks, and also files stored off-site or on a
storage area network (SAN).
Attacks on Data-at-Rest
Because of its nature Data at Rest is of increasing concern to businesses, government agencies and other institutions.
Mobile devices are often subject to specific security protocols to protect Data at Rest from unauthorised access when lost or stolen.
There is an increasing recognition that database management systems and file servers should also be considered as at risk.
The longer data is left unused in storage, the more likely it might be retrieved by unauthorized individuals outside the network.
Various Prevention Mechanisms
The encryption of data at rest should only include strong encryption
methods such as AES, RSA, and SHA-256
Cryptography can be implemented on the database housing the
data and on the physical storage the databases are stored.
Data encryption keys should be updated on a regular basis.
Encryption keys should be stored separately from the data.
Periodic auditing of sensitive data should be part of policy and
should occur on scheduled occurrences.
Only store the minimum amount of sensitive data as possible.
Gnu Privacy GuardINTRODUCTION TO GPG
FEATURES OF GPG
GPG ALGORITHMS
CONCEPT OF KEY RINGS
GPG KEY EXCHANGE AND USAGE
GPG CERTIFICATES
WORKING (HANDS-ON)
Introduction to GPG
GPG stands for “Gnu Privacy Guard”
Free implementation of Open PGP
GnuPG allows to encrypt and sign our data and communication
It features a versatile key management system as well as access
modules for all kinds of public key directories.
Source Code is available
Free of cost
Features of GPG
Does not use any patented algorithms
Full OpenPGP implementation
Supports Key and signature expiration dates
Available in multiple languages
Online Help System
Supports algorithms such as DSA, RSA, AES, 3DES, Blowfish, Twofish,
MD5, SHA-1, TIGER and CAST5
GPG Algorithms
Algorithm Type Description
Asymmetric Key RSA , DSS
Message Digest MD5, SHA-1, RIPE-MD
Encryption IDEA, DES-3, AES
Concept of Key Rings
GPG specifies a ring of public-private keys.
A user may want to change his public-private key pair or may want to use a different key pair for different recipients or group of
recipients.
Every GPG user needs to have two sets of keys rings:
A ring for his own public-private key pairs
A ring for the public keys of other users
GPG Key Exchange and Usage
Sender’s side:
Sender creates a message digest of the original message and encrypts
it using his private key from one of the key in the “Key Ring”.
Sender creates a one-time symmetric key.
Sender uses the public key (by looking in the public Key Ring) of the
intended recipient to encrypt the one-time symmetric key created.
Usually RSA algorithm is used for this.
Sender encrypts the Digital Signature with the one-time symmetric key.
Sender sends the encrypted original message and digital signature to
the receiver.
GPG Key Exchange and Usage
Receiver’s side:
Receiver uses his private key to obtain the one-time symmetric key
created by the sender.
Receiver uses the one-time key to decrypt the message.
Receiver computes a message digest of the original message.(say MD1)
Receiver uses the one-time key to obtain original digital signature.
Receiver uses the sender’s public key from the Key Ring to decrypt the
digital signature and gets back the original message digest.(say MD2)
Receiver compares message digest MD1 and MD2. If they match,
receiver is sure about the message integrity and authentication of the
message sender.
GPG Certificates
GPG can use certificates issued by Certification Authority or can use its own certificate system.
In GPG, there is no CA.
This creates a situation where a user can have certificates issued by different users.
“Introducer” acts as a CA in GPG.
Concept of:
Introducer Trust
Certificate Trust
Key Legitimacy
Web of Trust
Setup Screenshots
Thank YouANY QUESTIONS?