Practical Security and Key Practical Security and Key Management Management University of Amsterdam Introduction SNE - Research Project 2 Research Question Security levels Secure elements By: Key Magiel van der Meer management PGP Supervisors: TLS/SSL Marc Smeets Findings Jeroen van der Ham Conclusion July 2, 2014
Introduction Practical Security and Key Management Encryption and authenticity more important Introduction Personal data over untrusted networks Research .. thus for eavesdropping Question Security levels Truly secure communications are non-trivial (if not impossible) Secure elements Lots of information available on Internet, but.. Key management .. not necessarily up-to-date PGP .. not always supported with facts TLS/SSL Findings .. might be plain wrong Conclusion
Research Question Practical Security and Key Research Question Management How can one combine practical security and secure key Introduction management by aggregating relevant public available Research information? Question Security levels Points of interest Secure elements Key Security levels Practical configurations management PGP for elements Elements to secure TLS/SSL Overview guide Best practices per level Findings and element Conclusion
Security levels Practical Security and Key Management Introduction Defined security levels Research Question Security levels Basic Secure Medium elements Key High management PGP TLS/SSL Findings Conclusion
Security levels Basic Practical Security and Key Management Basic Introduction e.g. Individual security enthusiasts Research Question e.g. OS3 Students Security levels Signing / encrypting e-mail Secure elements e.g. Web shops working with privacy sensitive customer Key data management PGP Securing connections from customer to web shop TLS/SSL Likely no budget or related hardware Findings Conclusion
Security levels Medium Practical Security and Key Management Medium Introduction e.g. Journalists in countries with repressive regimes Research Question e.g. IT security researchers Security levels Signing / encrypting e-mail Secure elements Securing the workstation Key management e.g. Banks processing customer payments (Online PGP banking) TLS/SSL Probably budget & related hardware available Findings Conclusion
Security levels High Practical Security and Key Management High Introduction e.g. Employers of corporations (Banks, R&D sensitive) Research e.g. IT security researchers Question Security levels e.g. Separate private key operations from production Secure machines elements Key e.g. Predefined procedures for certificate issuance and management revocation PGP Desire for centralized key management TLS/SSL Findings Budget & specialized hardware available (like HSM) Conclusion
Secure elements Practical Security and Key Management Introduction Elements to secure Research Question Security levels Key management Secure Personal communications elements Key System communications management PGP TLS/SSL Findings Conclusion
Secure elements Personal communications Practical Security and Key Management Personal communications Introduction Research Securing digital communications between humans Question End-user involvement required Security levels Secure elements Pretty Good Privacy (PGP) Key management S/MIME PGP Off-The-Record (OTR) TLS/SSL Findings Conclusion
Secure elements System communications Practical Security and Key Management System communications Introduction Research System to system security Question Security levels Operations mostly transparent to the end-user Secure Only involve (or not ..) end-user when security fails elements Key management Web, mail, remote management, .. (Secured versions of course) PGP All these have in common: TLS/SSL TLS/SSL Findings Conclusion
Key management Considerations Practical Security and Key Management Key management Introduction Backup Research Escrow Question Security levels Recoverability historic data Secure Logical access elements Key Physical access management Revocation procedures PGP TLS/SSL Decrypt and encrypt data when new key is issued Findings Use key only on secure environment Conclusion
Overview Practical Security and Key Management Cross reference Security levels (Header) with the defined Introduction Secure elements (1th column) Research Question Security levels What? Basic Medium High Secure Personal security elements Key management Key Best practices & corresponding configurations per level management System communications PGP TLS/SSL Findings Conclusion
Pretty Good Privacy Considerations Practical Security and PGP concepts Key Management Generation of keys Introduction Key storage Research Question Key lengths Security levels Role separation Secure elements Expiration Key management Publishing PGP Rollovers TLS/SSL Revocation Findings Figure : Randall Munroe (xkcd) Conclusion Web-of-trust
Transport Layer Security Considerations Practical Security and Key Management Cryptographic protocol Introduction Research Question Key agreement or establishment Security levels Peer authentication Secure elements Symmetric encryption and authentication Key Secure data transport management PGP Non-repudiation TLS/SSL Findings Conclusion
Transport Layer Security Practical Security and Key Management Asymmetric & symmetric Introduction Asymmetric operations Research Question are expensive Security levels Uses asymmetric Secure elements cryptography Key To authenticate and management PGP exchange symmetric key Figure : Corredera Jorge TLS/SSL for encryption of data Findings Conclusion
Findings Key management Practical Security and Key Management What? Basic Medium High Introduction Research Key generation (Offline live) system Offline live system Specialized hardware Question Yubikey/Smartcard Personal tokens Security levels Backup Would be very smart Should be done Secure elements Escrow Depends on the situation Key management Revocation procedures Signed mail to known contacts Planned procedure PGP Key usage Only in trusted environment TLS/SSL Argumentation & sources in paper Findings Conclusion
Findings PGP Practical Security and Key Management What? Basic Medium High Introduction RSA/DSA-Elgemal RSA Research Question Role separation Default Subkey for certification Security levels Length (Bits) 2048 4096 S:4096 M:8192 Secure elements Expiration Subkey: 1y / Masterkey: 2y Key Revocation Mandatory, but implementation may differ management Rollover Signed mail to known contacts Planned procedure PGP TLS/SSL Findings More argumentation & sources in paper Conclusion
Findings System communications Practical Security and Key Management Considerations Introduction Research Choices depend more on target end-users / clients than Question security levels Security levels Secure Self-signed certificate or well-known CA 1 elements Public (web) service should support range of cipher suites Key management Mail server with managed clients can be more strict PGP TLS/SSL Findings Conclusion 1 Certificate Authority
Conclusion Practical A lot of information available Security and Key Management Often incomplete and no background or sources Spread over numerous sources (Blog entries, NIST Introduction recommendations,..) Research Out of date information (GnuPG manual: Go for 1024 bit DSA key) Question Corporate advisories (Microsoft, RSA,..) Security levels Can’t see the Wood for the Trees Secure elements Key Now even more information management PGP But complete TLS/SSL Background information Findings Argumentations and sources given Conclusion Applicable to several environments (security levels) A little bit more light in the darkness
Questions? Practical Security and Key Management Introduction Research Question Security levels Secure elements Key management PGP TLS/SSL Findings Conclusion Figure : Randall Munroe (xkcd)
Recommend
More recommend
