Skip to main content
IT Unconference

Encryption

Proposed by Philip de Louraille

Notes

Speaker: Philip de Louraille
Notes Taker: vivienwu@stanford.edu
 
Why? why do we need to encrypt the data?
In case of equipment/devices/computers are lost, if the devices are encrypted, we do not need to mitigate the data loss.
What is Encryption?
Two types of encryption: symmetric and asymmetric
Attributes: Key (password), Key Length (character length)
To make encryption unbreakable/uncrackable,
Mathematical theorem: Make the key as long as the text you are trying to protect and the encryption will be unbreakable.
Weaknesses of  encryption: it is not the algorithms, it is their programming.
Send the key by different means (different from the data itself)
Asymmetric: private (yourself) and public keys (PKI, EKCM)
To be signed : use your private key encryption to sign the message
To be encrypted: send the messages to someone else and msg needs to be encrypted 
To send: The messages is signed by your private key, encrypted by the recipients public keys
To receive: The messages can be decrypted using your private key (since it was encrypted via your public key) and you can verify the sender using their public key.
Cryptographyand NSA
The conspiracy: AES-256 (NIST is overseeing the selection of encryption) and intentionally choose a weaker agorithm (so the governmnet can listen when needed?)
PGP. 2048 now, 4096 for DCDM. AES-256 was forecasted to withstand 100-year.
 
What is Cipher? an algorithm to make the data appears randomized.
DES : 56bit
3DES : 3 x 56 bits
Symmetric: AES
Asymmetric RSA

How does ssh/ssl/TLS work?
No central body to oversee all of CAs (Certificate Authority)
CAs : trusted vs untrusted. 5 level of CA trust.
When initiating a SSL/TLC, the browser gets the public key of a website which has been signed by a CA public key and negotiate the key/key-length.

What is Hash?
Use hash to check against the data integrity (to ensure it has not been tempered)
4- principles: fast to generate, one-way function (no reverse), any mod to message changes the hash, two msg cannot share the same hash

What is Disk Encryption? (SWDE stands for Stanford Whole Disk Encryption)
disk
partition
file, directories
key escrow: BigFix 
Another adv of full disk encryption: strong assertion that data cannot be recovered

Stories of the TrueCrypt (FileLock and BitLocker)
The developers have not made themselves known
One time posted the following messages "All bets are off. Use BitLocker.".
One should think twice before using TrueCrypt.

Secure Wipe
Multiple passes of randoms 0 & 1 needed because magnetism leaves a trace even when written over.
Use encryption and it may not be necessary to wipe a drive before getting rid of it.
 

Full Disk Encryption only stops attacker at pre-boot stages (or computer whose screen saver engaged); but not stopping malware install as the malware will run as the user (hence have access to the decrypted data)
New attacts from inserting USB drives, external drives, etc. Malware installed in the controller of these devices. (so don't accept free USB sticks!)
When traveling to foreign countries, take vanilla computers (Stanford provide loaners).
Clients side: Firefox can turn off SSLv3.  Chrome needs to be fixed via shortcuts or cli (so don't down negotiate SSLv3). Heartbleed is way more dangerous. Can enumerate system memory without any credentials.