Transcript The Cryptography Chronicles Explaining the Unexplained: Part Two

Something You Know
• Credentials: PIN, Password
• Significance: Shared, Compromised , Forgotten
Something You Have
• Credentials: Key, ID Card, Token
• Significance: Lost, Stolen or Forgotten
Somewhere You Are
• Credentials: GPS, Phone
Significance: Confirms credentials by location
Something You are or Do!
• Credentials: Biometrics
• Significance: Unique identifier but not secret
NSA
Suite A
NSA
Suite B
NSA
Suite C
•
•
•
•
BitLocker
True Crypt
Encrypting File System
Physical Hardware based
Solutions
• Hashing
Data at Rest
Cryptography
•
•
•
•
•
•
•
EAP/ TLS
PGP, SSL, SSTP, IPSec
Bitlocker to Go
Secure Email
Rights Management
RMS
PKI
Data in Transit
•RSA Token
•Digital Certificates
•Multi Factor Authentication
•DNSsec
•Kerberos
Secure
Authentication
HTTP SMTP POP3
HTTPS SSMTP SPOP3
80
443
25
110
465
995
Secure Sockets Layer SSL / TLS
Transport Layer
Network Layer
Link Layer
SSL
SSL
Handshake
Change Cipher
Protocol
Spec Protocol
SSL
Alert Protocol
SSL Record Protocol
TCP
IP
HTTP
Host
(1) Handshake & Agree on Method of
Encryption
Server
Key
Cipher
Hash
Key
Cipher
Hash
RSA
RC4
HMAC-MDS
RSA
RC4
HMAC-MDS
Diffe Hellman
3-DES
– SHA2
Diffe Hellman
3-DES
HMAC – SHA2
DSA
AES 128
DSA
AES 128
Hello
Version
3.3
Version
3.3
Random
Number
29873456234234…
Random
Number
29873456234234…
(2) Server Sends a Certificate
To Confirm Identity
Host
Server
(3) Your Computer Says “Start Encrypting”
Host
Server
Both Computers Calculate a master Secret Code
Your Computer Now Asks the Server to Encrypt!
Ok Let’s Start Now
I’m Going to Send Encrypted Messages
Let’s Go!
(4) Server Starts Encrypting
Host
Server
Marcus
the Evil
Hacker
(5) All Content is Now Encrypted
Host
Server
Authentication
Confidentiality
Key
Management
Application Layer
Application Layer
HTTPS SSMTP SPOP3
HTTP SMTP POP3
80
25
443
110
465
995
Secure Sockets Layer SSL / TLS
(Transport Layer) TCP – UDP - ICMP
Network Layer
IPSec
Link Layer
IPsec can Provide Security Between any Pair of Network-Layer
Entities (E.g, Between Two Hosts, Two Routers, or a Host and a Router).
Local Area
Network
Internet
Direct Access
UAG Server
Direct Access / VPN Client
Local or AD
Group Policy
Network
Application
+ Local IPSec Agent
Client
IPSec Policy
Module
IPSec Driver
TCP/IP Protocol
Driver
Security
Association
Database
IKE (ISAKMP)
Server
ISAKMP = Internet Security Association and Key Management Protocol
Most common and
most important
35
Root CA
Intermediate CA
Subordinate CA
User & Computer Certificates
Intermediate CA
Subordinate CA
User & Computer Certificates
41
Security Group
Policy Applied
Group Policy distribution
Certificate Publication,
Notification mapping to User
Accounts, Computers etc.
Domain Admin
Certificate services
KDC / Domain Controller
Active Directory
Domain Logon Process
Smartcard Logon Process
Domain User
Domain Client
Hardware Based
Solutions
Software Based
Solutions
• Proprietary,
• Expensive
• Fast
• Difficult to Manage
• Lower cost
• Does not require specific
hardware
File Based Solutions
• Done on a file-by-file basis
(only protects file)
• Not automatic
• Dependent on end-user
• WinZip, EFS, Etc
Disk / Full Volume
Based Solutions
• Encrypts entire drive (most
secure)
• Automatic; transparent to
the user
• But … if you lock yourself
out, you’re in trouble
• Need administrative
control
Plain Text 512 – 8192 Bytes
Key 512 Bits
Derive Sector Key
A - Diffuser
B - Diffuser
AES CBC
CipherText
Drive Type
Unlock Methods
Recovery
Methods
Operating System
Drives
TPM
Recovery
password
Other Hard Drive
Portable Drives
(Bitlocker to Go)
TPM+PIN
TPM+Startup key
TPM+PIN+
Startup Key
Startup key
Certificate
(for Fixed Drives and
Removable Drives)
Recovery Key
Active Directory
backup of
recovery password
Data Recovery
Agent (DRA)
Memory Analysis – Bitlocker Driver is Working
on Disk Layer – FVEVOL.SYS Encrypts on the Fly
Low Impact on Performance Typically < 5%
Management
Other requirements
Robust and
consistent Group
Policy enforcement
Supports Windows 7
And Windows 8
Minimum Pin
Length
Drive preparation fully
integrated in BitLocker setup.
System partition size:
200MB without WinRE
400MB with WinRE
System partition letterless
Uses NTFS file system
+
Pre Key
=
Key
Random Data
011001101010001
ATGCTCGAAGCT
DNA
(Deoxyribonucleic acid)
Genetic information “memory”
Nucleotides strung into
polymer chains (DNA Strands)
Four classes of nucleotides:
Adenine, Guanine, Cytosine, Thymine (A,C,G,T)
Source: http://qubit.nist.gov/Images/OptLat.jpg
The Cryptography Chronicles: Explaining the Unexplained Part 1
The Cryptography Chronicles: Explaining the Unexplained Part 2
Lock, Stock & Two Smoking Smart Devices!
Cyber Threats Panel
http://northamerica.msteched.com
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn