Passing Sensitive Data Through the Public DomainSteve Cornish

steve@blazingpath.com | @stevesquirrol | linkedin.com/in/stevecornish

4th May 2016

About meBy day…• Contracting Digital / Integration

Architect• Currently @ Vodafone

By night…• CTO of Squirrol – a Social Network for

Collectors• Cool tech• Pre-funding stage• Site is live: https://squirrol.com

Why protect data?Public domain => Internet => untrusted network

• Is the integrity of the data important?• Is the privacy of the data important?

Data Integrity / AuthenticationHMAC functions can be used to verify a message…

a) Comes from the expected sourceb) Has not been tampered with in flight

With HMAC, both the source and target generate a token (the MAC) from the message using a shared key which is compared to establish integrity.

HMAC…

Message…

Generate MAC from message

Generate MAC from message

MAC 1

Shared Secret

Shared Secret

Source

Target

MAC 2 Compare MACs

Data Privacy• Symmetric and Asymmetric cryptography can be used to secure

data in flight

• Symmetric encryption (e.g. AES):• The same key is used to encrypt the data and to decrypt the cipher

• Asymmetric encryption (”Public Key Cryptography” / PKI):• Consists of a public/private key pair• The data is encrypted using the public key, and decrypted using the private key

Symmetric…

Message…

encrypt

decrypt…

Message…

110101010101001101010101011

Shared Key

Shared Key

Source

Target

Asymmetric…

Message…

encrypt

decrypt…

Message…

110101010101001101010101011

(Target) Public Key

(Target) Private Key

Source

Target

Summary• Data Integrity and Data Privacy are two concerns of Data Security• Data Integrity can be assured using HMACs• Data Privacy can be enforced using cryptography

Data Security is a big subject – we’ve only scratched the surface

Thank you… Questions?

AppendixPerformance• HMAC-SHA256

• 1m MACs in 4.76s• AES-128

• 1m encrypts in 2.54s• 1m decrypts in 2.13s

(Run on a 5 year old Dell Latitude E6410 with Core i5, 4GB RAM, Win 7 32-Bit…)