If you're not terrified, you're not paying attention.
Every organization in the world, large and small, should be concerned about Data Security. Virtually every week there’s a well-publicized and embarrassing data breach that serves to remind how important it is to protect both customer and enterprise information.
Tools and techniques exist to help, for managing identity, authentication, and authorization. Encryption is also an effective way of making it harder for people to steal your secrets. But it isn't magical, it isn't fool proof and, depending on how you are using it, may be completely useless. You don't have to understand the math (although that will help), but you do have to understand what encryption will and won't do for you.
Data and web security today
Protecting data in transit
Protecting data at rest
What advantage does Encryption provide?
How can you build encrypted data protection into your software and systems?
Are there business trade-offs?
Implications for specific industries (financial, health)
3. Speaker Qualifications
Specialize in next-generation technologies
Author of "Resource-Oriented Architecture Patterns for Webs of Data"
Speaks internationally about REST, Semantic Web, Security, Visualization,
Architecture
Worked in Defense, Finance, Retail, Hospitality, Video Game, Health Care and
Publishing Industries
One of Top 100 Semantic Web People
·
·
·
·
·
2/55
6. Whoever thinks his problem can be solved
using cryptography, doesn't understand his
problem and doesn't understand
cryptography.
“
”
Roger Needham/Butler Lampson
7. CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Scytale)
6/55
15. A cryptosystem should be secure even if the attacker knows all details about the
system, with the exception of the secret key. In particular, the system should be
secure when the attacker knows the encryption and decryption algorithms.
“
”
Auguste Kerckhoffs (1883)
27. Diffie-Helman Key Exchange (DHKE)
First published asymmetric crypto scheme (1976)
Influenced by work of Ralph Merkle
Discovered earlier at GCHQ but was classified
Allows derivation of a secret key over public channels
Based upon the Discrete Logarithm Problem
·
·
·
·
·
26/55
40. Dual_EC_DRBG
Dual Elliptic Curve Deterministic Random Bit Generator
PRNG algorithm (ISO 18031 and NIST Standard)
In 2007, concern about a backdoor
Required for FIPS 140-2
BULLRUN revelations implicated Dual_EC_DRBG
NIST recommends against use
NSA reportedly paid RSA to make Dual_EC_DRBG default PRNG
NSA requested RSA add TLS extension to expose more PRNG data
·
·
·
·
·
·
·
·
39/55
41. RdRand
Intel instruction for returning random numbers from on-chip RNG with its own
source of entropy
Compliant with NIST SP 800-90A, FIPS 140-2 and ANSI X9.82
SP 800-90 requires CTR DRBG, Hash DRBG, HMAC DRBG and Dual_EC_DRBG
Not pulled from Linux
Pulled from FreeBSD
·
·
·
·
·
40/55
43. The main objective of secure system design is to make breaking the system more
costly than the value of the protected assets , where the 'cost' should be
measured in monetary value but also in more abstract terms such as effort or
reputation .
“
”
Christof Paar and Jan Pelzl
Understanding Cryptography: A Textbook for Students and Practitioners
44. [Security Engineering] is about building
systems to remain dependable in the face of
malice, error, or mischance.
“
”
Ross J. Anderson
Security Engineering