Presentation is loading. Please wait.

Presentation is loading. Please wait.

Azure Encryption Anthony Turner anthturner.com

Published byOctavia Ford Modified over 6 years ago

Similar presentations

Presentation on theme: "Azure Encryption Anthony Turner anthturner.com"— Presentation transcript:

1 Azure Encryption Anthony Turner anthturner.com
Azure encryption session Going to discuss how to keep your data secure in the cloud using Encryption and tools provided by Microsoft/azure will be discussing why encryption is important, how it can help you, and how it works. will be showing how to use some of the SDK’s and tools to actually encrypt your data easily Anthony Turner anthturner.com

2 {in-krip-shən} encryption
[to change information from one form to another especially to hide its meaning] Introduction

3 Why Do I Care? “I’m only one person on a planet of over 7 billion; no one is looking at me.”

4 Commercial Data Breaches
These are becoming more common; each year, the number and severity of commercial and governmental data breaches is on the rise Can be used for corporate espionage, personal revenge, or identity theft

5 http://www. informationisbeautiful
Anthem – 2nd largest medical insurer in the states – 2015 Private details on 79 million people were stolen, in each case plenty of information to facilitate identity theft Mexican Voter Database – (April 14th) 93 million records on voters in Mexico discovered sitting unsecured and publicly available on an Amazon AWS server in the United States, despite strict data governance laws that make it a crime to move this data outside of Mexico. US Voter Database – late last year 300gb of government data was discovered sitting unsecured on the web by a researcher named Chris Vickery – it contains information on every registered voter in the united states, around 200 million people (around half of all people in the US). Unclear where it came from, or how it was left exposed. User error. Snapchat

6 It’s not just companies!
“Celebgate” was the release of the private data of high-profile celebrities in late 2014 Came from a combination of social engineering, phishing, and brute-force guessing answers to security questions Partially due to a lack of multi-factor authentication to iCloud Rise of “RATs” (Remote Access Trojans) Viruses that can read files, view a user’s screen, and access an attached webcam Generally more individually-targeted but sometimes gathered with broader browser- based exploits

7 Governments can even store your data…
NSA $1.5B data center in Utah, completed construction in May 2014 Architected to support storing 1 Yottabyte of data 1 Yottabyte is over 5700x the annual hard drive production of Seagate Designed to store complete contents of e- mail, cell phone calls, Google searches, and personal data trails

8 … but can they protect it?
Edward Snowden Released around 1.7 million NSA documents to the media in 2013 Office of Personnel Management Hackers stole personally identifiable information for over 4 million government employees SF-86 form stolen in OPM leak

9 https://cybermap.kaspersky.com/
Your home and/or work PC are probably under attack right now! - Average survival time of a brand new install of an operating system without patches is 13 hours according to SANS

10 Encryption can limit, mitigate, or prevent data leaks for everyone.
Why Do I Care? Encryption can limit, mitigate, or prevent data leaks for everyone.

11 Types of Algorithms Ok, lets take a quick look at the two broad categories of encryption algorithms

12 Symmetric Asymmetric Encrypt and decrypt with the same key
Encrypt with one key, decrypt with another Cryptographic algorithms fall into two broad categories. Symmetric Key also known as a shared secret Asymmetric - Public private key encryption, or certificate based encryption AES | Blowfish | 3DES RSA | ECC | Diffie-Hellman

13 Symmetric-Key Algorithms
Extremely fast conversion of data to cipher text If data is ever cracked the key is obtained, and all other encrypted data using this key can be deciphered. May be mitigated with salting techniques. Due to speed, often used for large amounts of data.

14 Asymmetric-Key Algorithms
Sort of Easy to compute in one direction, difficult in the opposite direction Allows flexibility in key management Algorithm: Easy to compute in one direction, but extremely difficult to compute in the opposite direction without special information. Well, sort of easy – relative to symmetric algorithms the encryption is still computationally expensive. You don’t want to encrypt huge amounts of data with these algorithms. Masterlock analogy (with a real lock!) Key behavior: Flexibility in key management. You can encrypt data without being able to decrypt it, or you can decrypt it without being able to encrypt it. Two person masterlock analogy? Stefan opens the lock and holds the key, but hands the open lock to Anthony. Anthony uses the open lock to lock a box with a message in it and sends the locked box back to Stefan who can now open it. The key never left Stefan’s hand, so it could never have been intercepted by someone who could then access all future messages.

15 Two Part Key Public Key Private Key
Allows encryption but not decryption Can be safely shared without compromising encrypted data Often publicly indexed as “fingerprints” for people to search for others In the common use case of encryption, a two part key is used. - Because public keys can be shared so broadly, having an index of key hashes (fingerprints) is necessary Private Key Allows decryption but not encryption Kept secure

16 Combining Speed and Security: The Envelope Technique
A single-use, symmetric, very long/complex Content Encryption Key (CEK) is generated and used to encrypt the data A (potentially) multi-use, asymmetric, Key Encryption Key (KEK) is used to encrypt the CEK The encrypted CEK is stored with the encrypted data in storage The KEK is stored somewhere safe, and used to decrypt the CEK for future data access KEK doesn’t *have* to be asymmetric, but it helps

17 This is Great, If You Do It Right
You do not want to come up with your own implementation Very, very smart people have spent many, many years refining algorithms and implementation details to make them secure. The smallest mistake, from using the wrong random number generator, to padding data incorrectly, can (And will) make your data vulnerable. These algorithms are based on math that is solid, but they only work if we don’t inadvertently introduce a weakness. Your job is to identify your scenario, the level of security required, and to choose the best existing implementation to use. Then to use it correctly. Rely on trusted implementations designed for your scenario

18 Make it Easy With The Right Tools
Client side encryption for Azure storage Key management with Azure Key Vault

19 Client-Side Encryption with the Azure SDK
.Net and Java Blobs | Tables | Queues For blobs, the CEK and metadata are stored with the blob (Content Encrypting Key) For Tables you specify which properties you want to encrypt, and two reserved properties are used to store the CEK and metadata For queues, which are just strings, the library uses a custom json format which stores the CEK/metadata in a field along side the encrypted data. The envelope technique is performed with a AES (CBC) encryption, and the CEK is then protected with your choice of KEK. (Key Encrypting Key) Uses envelope technique

20 Azure Key Vault Managing your keys for secure access, anywhere
SDK sample left a big gap in keys, they were just randomly generated and had to be managed in some way. Managing your keys for secure access, anywhere

21 Azure Key Vault Hosted in Azure on dedicated systems and HSMs (Hardware Security Modules) Powers most of the encryption-aware services provided by Azure Available to developers for use in their own applications

22 Key Vault Storage Types
Keys Secrets RSA-compatible key material Can encode/decode data Can digitally sign/verify data Hides key material from everyone – keys are generated and stored only in Key Vault Supports time-window access Any string up to 25KB Developer can specify a Content Type to help identify the data scheme on retrieval Supports time-window access

23 Authenticating to Key Vault
Azure Active Directory supports both user-based and app-based OAuth2 authentication Key Vault access list entries need to be set up for one or the other “new KeyVaultClient(GetKeyVaultAccessTokenCallback)” Need to define a method like: private async Task<string> GetKeyVaultAccessTokenCallback(string authority, string resource, string scope)

24 Authenticating to Key Vault (cont’d.)
User Principal Authentication Service Principal Authentication private async Task<string> GetKeyVaultAccessTokenCallback(string authority, string resource, string scope) { return await Task.Factory.StartNew(() => var authContext = new AuthenticationContext(authority, TokenCache); var token = authContext.AcquireToken(resource, AADClientId, new Uri(RedirectUri), PromptBehavior.Auto); return token.AccessToken; }); } private async Task<string> GetKeyVaultAccessTokenCallback(string authority, string resource, string scope) { var clientCredential = new ClientCredential(ClientId, ClientSecret); var context = new AuthenticationContext(authority, null); var result = await context.AcquireTokenAsync(resource, clientCredential); return result.AccessToken; }

25 CommandS Create or Update a Secret by Name Create a Key
await keyVaultClient.SetSecretAsync("ContosoUsers", "JaneDoe", "JanesPassword123!"); Create a Key await keyVaultClient.CreateKeyAsync("ContosoKeys", "JaneDoe", "rsa"); Retrieve the Public component of the Key await keyVaultClient.GetKeyAsync("ContosoUsers", "JaneDoe ");

26 Commands (Cont’d) Encrypt data using the Key
await keyVaultClient.EncryptAsync("ContosoUsers", "JaneDoe ", null, Microsoft.Azure.KeyVault.WebKey.JsonWebKeyEncryptionAlgorithm.RSAOAEP, <data>); Decrypt data using the Key await keyVaultClient.DecryptAsync("KeyIdentifier", Microsoft.Azure.KeyVault.WebKey.JsonWebKeyEncryptionAlgorithm.RSAOAEP, <encrypted data>); Sign data using the Key await keyVaultClient.SignAsync("ContosoUsers", "JaneDoe ", null, Microsoft.Azure.KeyVault.WebKey.JsonWebKeySignatureAlgorithm.RS256, <data>); Verify data using the Key await keyVaultClient.VerifyAsync("KeyIdentifier", Microsoft.Azure.KeyVault.WebKey.JsonWebKeySignatureAlgorithm.RS256, <data>, <signature>);

27 Key Vault Management Powershell C# SDK (Non-UWP)

Download ppt "Azure Encryption Anthony Turner anthturner.com"

Similar presentations

16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Advanced Windows 8 Apps Using JavaScript Jump Start 70-482 Exam Prep M5: Data, Files, and Encryption Michael Palermo Microsoft Technical Evangelist Jeremy.

Advanced Windows 8 Apps Using JavaScript Jump Start Exam Prep M5: Data, Files, and Encryption Michael Palermo Microsoft Technical Evangelist Jeremy.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography.

Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography.
By Sandeep Gadi 12/20/20151.  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.

By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.
CIS 325: Data Communications1 Chapter Seventeen Network Security.

CIS 325: Data Communications1 Chapter Seventeen Network Security.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted email that contains data specific to that recipient the data.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Key Management Network Systems Security Mort Anvari.

Key Management Network Systems Security Mort Anvari.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Information Systems Design and Development Security Precautions Computing Science.

Information Systems Design and Development Security Precautions Computing Science.

Similar presentations

Ads by Google