Target audience: Students, faculty, staff and others referred to as “users” who access, use, or handle Keller’s IT resources. “Users” include but are not limited to subcontractors, visitors, visiting scholars, potential students, research, and non-university entities or individuals who are granted access. Keller offers online registration, computer lab access, as well as online classes; therefore, its employees and other personnel who have access to Confidential or Highly Confidential university information must employ encryption on such devices to protect the data from unauthorized disclosure. Some examples of restricted data that must be encrypted include social security numbers, credit card numbers, medical history, certain financial data, and other data as defined by FGERPA, HIPPAA and other laws and regulations.
1) Outline of categories of information that may require cryptography applications:
a) All of Keller’s resources store restricted information, whether individually controlled, shared, stand-alone, or networked. It applies to all computers and communications facilities owned, leased, operated, or provided by the university or otherwise connected to Keller. To include:
1) Networking devises
2) Personal digital assistants
4) Wireless devices
5) Personal computers
9) And any associated peripherals and software whether used by administrative, research, teaching, or other purposes. Also applies to all personally owned devices used to store, process, or transmit Keller’s information or otherwise connected to the university IT resources.
As the Senior Director of Security for Keller this brief is to address the status of cryptography when it comes to the protection of our confidential information. Ours is an environment which is constantly under attack by hackers trying to obtain access to restricted data such as social security numbers, credit card numbers, medical history, certain financial data, and other data as defined by FGERPA, HIPPAA and other laws and regulations. With this in mind less discuss the following briefing points:
1) What is encryption: Protection through Cryptography (talk about these points from the paper)
Cryptography is a highly complex technology comprised of design elements such as cipher modes, algorithms and key bit sizes that can be applied to differing security functions (e.g. encryption, authentication, hard disk encryption)
The process of encryption converts data to an unintelligible form called cipher text; decrypting the cipher text converts the data back into its original form called plaintext.
2) The application of keys (see hand out)
Cryptography systems can be broadly classified into:
• Symmetric-key systems that use a single key that both the sender and recipient possesses to encrypt/decrypt data
• Public-key systems that use two keys, a public key known to everyone and a private key that only the recipient of messages uses
Encryption keys for stored data can be compromised, or they can be changed on a regular basis as a matter of policy. The old key must be kept in order to read old data stored by it specific key or the data will be unrecoverable. The key and a record of when and where it was used must be kept in a secure place. Note: access to the key allows access to the data.
3) Attack on Encryption Data and Keys (30)
The attacker must either identify the key or break the algorithm
• Key – access to key using brute force (every possible key until get the right one)
o SUGGEST USING BIGGER KEY (128) LONGER KEYS EQUAL GREATER PROTECTION.
o SEED AND PRNG - if the attacker guess your seed they can seed the PRNG and produce the same key; therefore, use a good seed.
• Algorithm - if you pick a weak algorithm...