Presented by

Offering software solutions worldwide for over 20 years

RACF Administration

Cryptography

Catalog Management and Recovery

Storage Management

SMF Management

Enterprise Password Reset and Sync

Your Presenter

Greg ThomasonASPG Technical Support(800) 662-6090

Greg ThomasonASPG Technical Support

greg.thomason@aspg.com

Today’s Agenda

History

Terminology

Solving Business Problems

Standards for Implementation

Key Storage and Security

Performance

Interoperation

What is Cryptography?

Cryptography is the process of securing data using encryption.

Encryption for Data Confidentiality

Digital Signatures for Signing and Verification

Hashing for Data Integrity

Parts of a Cryptographic SystemParts of a Cryptographic System

Security Mandates• Sarbanes Oxley (SOX): Companies must retain and protect financial records.

• HIPAA: Ensures the protection of Personal Health Information.

• FERPA: Protection of Student Information.

• Graham Leach Bliley: Protection of customer transaction records/information.

• Payment Card Industry PCI: Merchants who store, process or transmit cardholder data must implement strong access control measures.

• California Security Breach Information Act: Protection of personal information and requires reporting of security breaches involving unencrypted data.

• Business-to-Business

• Personal Information Protection & Electronic Documents Act (PIPEDA): Canadian act that protects personal information.

• Personal Health Information Protection Act (PHIPA): Canadian law requires personal health information of patients to be held private, confidential and secure.

Why Use Cryptography?

- Supplement Data Access Security

- When Access Protection is breached

- When Access Security is not available

- Additional benefits of cryptographic systems

History“Classical” permutation and substitution

“Medieval” polyalphabetic substitution

1883 Playfair cipher (diagrammatic)

WWII Enigma Machine

1970’s: DES / RSA / Asymmetric

1990’s: PGP, Blowfish, SHA, SSL

2000’s AES, OpenPGP, OpenSSL

TerminologyPlaintext:

Ciphertext:

Cryptanalysis:

Cryptology:

Algorithm:

Key:

Hash:

Fingerprint:

Original data

Encrypted plaintext

Breaking ciphertext

Branch of math for Cryptography

Mathematical Function

Data value used by an algorithm

Message digest of plaintext

A hash of a key

Concepts

Cryptographic System

Key Management

A “cryptosystem” includes all of the protocols, algorithms, and keys used to encipher and decipher messages. Example: OpenPGP

Key Management includes any action that concerns your cryptographic keys: storage, access, generation, exchange, and replacement.Example: Key Import

Methods for Encryption

Symmetric: Same key is used for Encryption and Decryption.

Asymmetric: Different “public and private” keys are used for Encryption and Decryption.

Symmetric: Same key is used for Encryption and Decryption.

Asymmetric: Different “public and private” keys are used for Encryption and Decryption.

Password Encryption Public Key Encryption

Encryption Operations

Data at Rest

Data in Transit

Data in Process

Disk or Tape

Encryption of only specific sensitive files stored on disk or tape.

Encryption of data during a transfer.

Encryption routines added to your custom application.

Encryption of the entire disk or tape media regardless of data sensitivity.

Data at Rest Encryption of only specific sensitive files stored on disk or tape.

Data in Transit Encryption of data during a transfer.

Data in Process Encryption routines added to your custom application.

Disk or Tape Encryption of the entire disk or tape media regardless of data sensitivity.

Implementing Encryption

Software Solutions Appliance Solutions

• Executed via Software Routines

• Many support HW Acceleration for cryptographic instructions

Pros:• Flexiblity• Recoverability• Compatibility• Interoperability

Cons:• Potential programming effort• Alter batch processing

• Executed at the storage device

• Dedicated processor for cryptographic instructions

Pros:• Minimal administration after initial setup.

Cons:• Data must be on the device• Lack openness / compatibility• Symmetric processing only

Symmetric Encryption

Use a Password or “secret key”• Pros

– Very efficient use of CPU for larger files

• Cons– Key management/security

issues• Especially with large # of

business partners• Keys that decrypt data can

exist in more than one place

Same Key is Used to Encrypt and DecryptSame Key is Used to Encrypt and Decrypt

Asymmetric Encryption

Public Key EncryptionPublic Key Encryption

A key owner generates a key pair.• Public Key

– Used for encryption only– Is exported from the key pair– Sent to users who will encrypt

• Private Key– Used for decryption– Securely stored by key owner– Never share the private key

Hashing for Data IntegrityVerification that the data has not been modified

• Is created by processing cleartext using a Hashing algorithm

• If data has changed, the checksum will be different.

Checksum, Seal or Message Digest Checksum, Seal or Message Digest

Digital Signatures for VerificationVerify the sender of the data that you decrypt

Sign with Private Key

Verify with Public Key

• Authentication when signing

• Sender is confirmed

Sign with Private Key

Verify with Public Key

OpenPGPAn internet standard to define a protocol for PGP-like interoperation

Main features

• asymmetric and symmetric encryption

• digital signatures

• text compression

• binary to base-64 conversion

Key Storage & SecurityOnly authorized users should access keys

User’s brain (password)

Shared secret (password in parts)

Key Encrypting Keys (GnuPG)

Key Control Vectors (ICSF)

Access permission (RACF)

Combinations of these

User’s brain (password)

Shared secret (password in parts)

Key Encrypting Keys (GnuPG)

Key Control Vectors (ICSF)

Access permission (RACF)

Combinations of these

PerformanceFeatures that affect Cryptographic Performance

• Algorithm Type

• Amount of data to process

• Compression time

• Batch processing

• Available system resources

• Hardware Acceleration

• Algorithm Type

• Amount of data to process

• Compression time

• Batch processing

• Available system resources

• Hardware Acceleration

Associated Tasks

• Compression / Decompression

• Tape resources

• Disaster Recovery

• Plaintext Encoding

• Ciphertext Encoding

• Training and Support

Issues that impact Operations

Getting Started

• Create a Security Policy- Legal Requirements- Business Partners- What must be encrypted

• Trial and Acquire Products- Adherence to Standards- Interoperability / Compatibility- Free Tools and Enhancements

• Human Resources- Training- Hiring

Preparing for your Cryptography Project

• Create a Security Policy- Legal Requirements- Business Partners- What must be encrypted

• Trial and Acquire Products- Adherence to Standards- Interoperability / Compatibility- Free Tools and Enhancements

• Human Resources- Training- Hiring

Your QuestionsContact ASPG for more information

Email: aspgsales@aspg.com aspgtech@aspg.com

Phone: (800) 662-6090