Anchor | ||||
---|---|---|---|---|
|
Table of Contents
- CryptographyGetting Started | CryptographyOverview | CryptographyResources | CryptographyStandards
- Cryptographic Controls
Anchor | ||||
---|---|---|---|---|
|
Tip | ||
---|---|---|
| ||
In order to implement encryption effectively throughout an institution of higher education, start by developing a strategy that incorporates risk management, compliance requirements, data protection, policies, and standards.
Note: Encryption is often a computationally intensive process and may degrade performance of IT applications or infrastructure if not implemented in an optimal way. Be sure to calculate performance requirements of enterprise services and end users before implementing encryption methods. Develop an implementation strategy, gather requirements, complete test plans, deploy following best practices of products, and effectively manage ongoing encryption solutions. |
CryptographyTop of page
Anchor | ||||
---|---|---|---|---|
|
Chapter Summary
This chapter provides a top level overview of cryptography and addresses topics from symmetric key cryptography to public key cryptography, various encryption standards and also various cryptographic libraries. Two sections focus on the two key areas addressed in the ISO document: policy on the use of cryptography and key management.
Overview
In the context of information security, cryptography covers a broad range of topics for securing data. Encryption is the conversion of “cleartext” into “ciphertext”. The reverse process, “ciphertext” to “cleartext”, is referred to as decryption. Applied properly, cryptographic controls provide considerable protection for the confidentiality of data and, when coupled with other related methods, extend integrity and authenticity safeguards for data, both at rest and in transit.
...
It is important to note that encryption is another layer in the security framework of an institution. Encryption is not a quick fix for all security risks facing organizations. Data is decrypted on servers and stored in memory while being processed. Data can be stolen by an unauthorized person on your server or network. Encryption is added for defense in depth.
Cryptography Top of page
Anchor | ||||
---|---|---|---|---|
|
Cryptographic Controls (ISO 10.1)
Panel | ||
---|---|---|
| ||
Objective: Describe considerations for an encryption policy ensuring the protection of information confidentiality, integrity, and authenticity (CIA). |
When considering cryptographic controls it is often helpful to first consider your institution’s data. This data exists in one of three states: at rest, in transit, or undergoing processing (see graphic below). Data are particularly vulnerable to unauthorized access when in transit or at rest. Portable computers (storing data at rest) are a common target for physical theft, while attackers may intercept data in transit over a network through man-in-the-middle attacks or packet capturing and analysis. Unauthorized access may also occur while data processes, but here security systems may rely on the processing application to control and report on such access attempts. When used appropriately, encryption is a powerful tool to prevent unauthorized access to data.
Data States
Data States and Encryption Methods
Data States | Examples | Relevant Encryption Methods |
---|---|---|
Data In Use/Processing | Credit card use, W-2 processing, research data | Data is decrypted to be used; data masking of particularly sensitive data should be considered. |
Data At Rest | Fileserver storage, desktop files, external media | Full Disk Encryption, Container Based Encryption |
Data In Motion | SFTP, HTTPS, SMTPS | TLS (SSL is deprecated); IPsec |
...
Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech
Cryptography Top of page
Cryptographic Standards
There are many standards in cryptography that are used for various issues and solutions. The most common standards are listed here.
...
Cryptographic Hash Functions are used for identity verification with digital signatures, file integrity verification, and fingerprinting of messages for authentication. SHA-256 and SHA-512 are examples of a cryptographic hash function.
References:
- Suite B Cryptography and The Case for Elliptic Curve Cryptography (NSA)
- Elliptic Curve Cryptography (Certicom)
- Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone)
- NIST SP 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
- FIPS Pub 180-4: Secure Hash Standard (SHS)
- Cryptographic Hash Function (Wikipedia)
- PGP: A Hybrid Solution (SANS Institute)
Cryptographic Libraries
Software developers and vendors usually write cryptographic libraries for various platforms. OpenSSL, the open source secure socket layer library is arguable one of the most popular, as well as most widely used cryptographic library. OpenSSL is used as the default cryptographic library for *NIX systems, including all Linux variants, all BSD variants and in Mac. Microsoft Operating Systems use the Microsoft Cryptographic Provider, which is also the foundation for .NET cryptography. Other common cryptographic libraries include the Java Cryptographic Library and Wei Dai C++ Crypto library.
...
- Crypto++ Library 5.6.2
- Microsoft Developer Network: System.Security.Cryptography Namespace
- The Cryptography API, or How to Keep a Secret
- PHP Manual: Cryptography Extensions
- Java Cryptography Architecture (JCA) Reference Guide
- Introducing Conceal: Efficient Storage Encryption for Android
- Mac Developer Library: Cryptographic Services Guide
- The Legion of the Bouncy Castle
CryptographyTop of page
Anchor | ||||
---|---|---|---|---|
|
Resources
Panel | ||
---|---|---|
| ||
Campus Case Studies On This Page EDUCAUSE Resources
Initiatives, Collaborations, & Other Resources |
Cryptography Top of page
Anchor | ||||
---|---|---|---|---|
|
Standards
27002:2013 Information Security Management | 800-111 | DS5.8 | Req 3 | PR.DS-1: Data-at-rest is protected | 45 CFR 164.312(e)(1) |
CryptographyTop of page
...
Questions or comments? Contact us.
...