This presentation covers an open source technology (GPG) used to send and receive E-mails securely and also basics of the underlying concepts which this technology uses - Data in Motion and Data at Rest

1. Data-in-Motion
and
Data-at-Rest
ANKIT P. MEHTA

2. Main Topics
 Data-in-Motion
 Data-at-Rest
 GnuPG

3. Data-in-Motion
INTRODUCTION TO DATA-IN-MOTION
ADVANTAGES OF DATA-IN-MOTION
ATTACKS ON DATA-IN-MOTION
PREVENTION OF DATA-IN-MOTION

4. Introduction to Data-in-Motion
 Data in motion is data that is being transmitted over a network
 Data as it is in transit
 Data that is exiting the network via email, web, or other Internet
protocols
 Data being manipulated by an application
 The collection process for data in motion is similar to that of data at
rest; however, the difference lies in the analytics. In this case, the
analytics occur in real-time as the event happens.

5. Introduction to Data-in-Motion
 What can be called Data-in-Motion ?
o Sending an e-mail
o Backing up your laptop data to a central server
o Uploading or downloading files to file-hosting sites
o When connecting/logging into your on-line e-mail account--such as
gmail--at Starbucks; etc.

6. Advantages of Data-In-Motion
 Data in Motion represents a compelling opportunity for
organizations in a variety of industries that rely on extracting value
from data before it is stored, including:
o Retail
o Healthcare
o Manufacturing
o Energy production
o Service provider market sectors
o Internet of Things

7. Attacks on Data-in-Motion
 The biggest threats to data in motion are interception and alteration
 Vulnerable to attackers because the attacker does not have to be
near the computer in which the data is being stored rather they only
have to be somewhere along the path

8. Preventive Measures for those
Attacks
 Encrypting the network session ensures a higher security level for
data in motion
 Encryption tunnels can protect data along the path of
communications
 Virtual Private Networks (VPN)
 Secure Shell (SSH)
 Advanced Encryption Standard (AES)
 Use mechanisms such as Secure Socket Layer (SSL) to encrypt
messages
 Use Gnu Privacy Guard (GnuPG) for encrypting messages

9. Data-at-Rest
INTRODUCTION TO DATA-AT-REST
ATTACKS ON DATA-AT-REST
VARIOUS PREVENTIVE MECHANISMS

10. Introduction to Data-at-Rest
 Refers to data that has been collected from various sources and is
then analysed after the event occurs
 Data stored in persistent storage
 Definition:
 All data in storage or that which resides in temporary memory. Data at
rest is not limited to archived data, data which is not accessed or
changed frequently, files stored on hard drives, USB thumb drives, files
stored on backup tape and disks, and also files stored off-site or on a
storage area network (SAN).

11. Attacks on Data-at-Rest
 Because of its nature Data at Rest is of increasing concern to
businesses, government agencies and other institutions.
 Mobile devices are often subject to specific security protocols to
protect Data at Rest from unauthorised access when lost or stolen.
 There is an increasing recognition that database management
systems and file servers should also be considered as at risk.
 The longer data is left unused in storage, the more likely it might be
retrieved by unauthorized individuals outside the network.

12. Various Prevention Mechanisms
 The encryption of data at rest should only include strong encryption
methods such as AES, RSA, and SHA-256
 Cryptography can be implemented on the database housing the
data and on the physical storage the databases are stored.
 Data encryption keys should be updated on a regular basis.
 Encryption keys should be stored separately from the data.
 Periodic auditing of sensitive data should be part of policy and
should occur on scheduled occurrences.
 Only store the minimum amount of sensitive data as possible.

13. Gnu Privacy Guard
INTRODUCTION TO GPG
FEATURES OF GPG
GPG ALGORITHMS
CONCEPT OF KEY RINGS
GPG KEY EXCHANGE AND USAGE
GPG CERTIFICATES
WORKING (HANDS-ON)

14. Introduction to GPG
 GPG stands for “Gnu Privacy Guard”
 Free implementation of Open PGP
 GnuPG allows to encrypt and sign our data and communication
 It features a versatile key management system as well as access
modules for all kinds of public key directories.
 Source Code is available
 Free of cost

15. Features of GPG
 Does not use any patented algorithms
 Full OpenPGP implementation
 Supports Key and signature expiration dates
 Available in multiple languages
 Online Help System
 Supports algorithms such as DSA, RSA, AES, 3DES, Blowfish, Twofish,
MD5, SHA-1, TIGER and CAST5

16. GPG Algorithms
Algorithm Type Description
Asymmetric Key RSA , DSS
Message Digest MD5, SHA-1, RIPE-MD
Encryption IDEA, DES-3, AES

17. Concept of Key Rings
 GPG specifies a ring of public-private keys.
 A user may want to change his public-private key pair or may want
to use a different key pair for different recipients or group of
recipients.
 Every GPG user needs to have two sets of keys rings:
 A ring for his own public-private key pairs
 A ring for the public keys of other users

18. GPG Key Exchange and Usage
 Sender’s side:
 Sender creates a message digest of the original message and encrypts
it using his private key from one of the key in the “Key Ring”.
 Sender creates a one-time symmetric key.
 Sender uses the public key (by looking in the public Key Ring) of the
intended recipient to encrypt the one-time symmetric key created.
Usually RSA algorithm is used for this.
 Sender encrypts the Digital Signature with the one-time symmetric key.
 Sender sends the encrypted original message and digital signature to
the receiver.

19. GPG Key Exchange and Usage
 Receiver’s side:
 Receiver uses his private key to obtain the one-time symmetric key
created by the sender.
 Receiver uses the one-time key to decrypt the message.
 Receiver computes a message digest of the original message.(say MD1)
 Receiver uses the one-time key to obtain original digital signature.
 Receiver uses the sender’s public key from the Key Ring to decrypt the
digital signature and gets back the original message digest.(say MD2)
 Receiver compares message digest MD1 and MD2. If they match,
receiver is sure about the message integrity and authentication of the
message sender.

20. GPG Certificates
 GPG can use certificates issued by Certification Authority or can use
its own certificate system.
 In GPG, there is no CA.
 This creates a situation where a user can have certificates issued by
different users.
 “Introducer” acts as a CA in GPG.
 Concept of:
 Introducer Trust
 Certificate Trust
 Key Legitimacy
 Web of Trust

21. Setup Screenshots

27. Thank You
ANY QUESTIONS?