encryption protection a proposed framework for thinking ... · encryption ≠protection a proposed...
TRANSCRIPT
![Page 1: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/1.jpg)
Joseph Webster, CISSPSenior Member IEEEBSEE Colorado State UniversitySoftware and Systems Security ArchitectFounding member of ShieldMyfiles
Encryption ≠ Protection
A proposed framework for thinking
about file security
June 9th, 2015
![Page 2: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/2.jpg)
Introduction 1.0
HELLOmy name is
HELLOmy name is
HELLOmy name is
Alice Needs Bob’s File.
But…
Bob’s file is sensitive
and Bob doesn’t
want anyone but
Alice to see it.
![Page 3: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/3.jpg)
Introduction 1.1
Bob fears for the Security
of his files in the cloud
After All Bob Doesn’t Control His
Cloud
Bob Has Some Concerns…
![Page 4: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/4.jpg)
Introduction 1.1
Bob Doesn’t Want to Exchange Keys or
Certificates …
![Page 5: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/5.jpg)
Login Vignette Production Slide
It Shouldn’t Take a Portal to Share a Single File!
Bob Doesn’t Have Time to Manage a
Million User Accounts!
![Page 6: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/6.jpg)
Introduction 1.1
1234
1040
20
You Can’t Keep a Secret By Telling It!
![Page 7: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/7.jpg)
A Framework For File Protection
There are 3 Tenets to this Framework:
1) Obfuscation
2) Access Controls
• Who
• How
• When
• Where
Files may be accessed
3) Auditability
Requiring Separation of Duties
![Page 8: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/8.jpg)
Obfuscation
Obfuscation = Custody
Physical World
$
• Protection without Possession
• Bank
Digital World
• Encryption
• Enciphering
• Steganography
• Safety Deposit Box
![Page 9: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/9.jpg)
Access Controls
Access Controls = Authorization
Physical World - Bank
• Hours of Operation
Digital World
• Signature Card
• Finger Print
• Physical Location
• Account Number
• Where – Geolocation
• When – Expiration
• Who – Biometrics
• Who – Password
• How – UserID
![Page 10: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/10.jpg)
Section 3 – Transaction History
Time:
Signature Card: Finger Print:
Account:
Auditability
000-7-17-12-0-14-26 - Super Secret Bank - Zurich
Auditability = Auditability
Physical World – Bank Statement
• Account/User Information
Digital World
• Transaction History
• Transaction Information
• Identifying Information
• Transaction Information
• Transaction History
• Recreate a system state, and events
over time, for post facto
identification of problems
Alice’s Statement
Section 1 – Identifying Information
Section 2 – Transaction Information
Date: Not a Holiday, Not a Weekend.
![Page 11: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/11.jpg)
Applying the Framework
TRUECRYPT
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
Obfuscation
~ Access Controls
X Auditability
• Uses Derived Key Cryptography
• Public/Private Key
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
• Uses Derived Key Cryptography
• Passphrase/Key Files
Obfuscation
~ Access Controls
X Auditability
![Page 12: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/12.jpg)
Applying the Framework Cloud
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
~ Obfuscation
Access Controls
Auditability
• Yes, but not from Google
• Passphrase, Multifactor, Share
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
• AES256/TLS256
• Passphrase, Plugins, Sharing
~ Obfuscation
Access Controls
Auditability• Work Edition • Very Nice Dashboards
![Page 13: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/13.jpg)
Meeting the Framework
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
• Deriving/Issuing keys can be dangerous
especially with cloud services
• Need multiple avenues for
authorization to fit security to need
• Chain of custody is essential
• Only works if keys are not
derived/issued by the Obfuscation,
Access Control and Auditability provider
• Protection WITHOUT Possession
TRUECRYPT
![Page 14: Encryption Protection A proposed framework for thinking ... · Encryption ≠Protection A proposed framework for thinking about file security June 9th ... HELLO my name is HELLO my](https://reader033.vdocument.in/reader033/viewer/2022051909/5ffd0bef0bbfba4951293437/html5/thumbnails/14.jpg)
Joseph Webster, [email protected]
J. Max Romanik, J.D., [email protected]
Christopher S. Webster, J.D.
https://www.shieldmyfiles.com/
Contact Us Learn More