Presentation is loading. Please wait.

Presentation is loading. Please wait.

Student: Ying Hong Course: Database Security Instructor: Dr. Yang

Published byRaphael Fontaine Modified over 5 years ago

Similar presentations

Presentation on theme: "Student: Ying Hong Course: Database Security Instructor: Dr. Yang"— Presentation transcript:

1 Student: Ying Hong Course: Database Security Instructor: Dr. Yang
How To Protect Keys Student: Ying Hong Course: Database Security Instructor: Dr. Yang 12/6/2018 How To Protect Keys

2 Introduction As public key cryptography has become the basis of computer security, the weak point in security has shifted from the data itself to the keys which protect them. Tow approaches: one is from RSA Security one is from nCipher Security World 12/6/2018 How To Protect Keys

3 RSA Approach Traditional approach is to save the keys and encrypted data within the database together. RSA approach is to build an Encryption Server to provide centralized encryption services, which separates encryption keys from the encrypted data stored in the database. 12/6/2018 How To Protect Keys

4 Internal Database Encryption
12/6/2018 How To Protect Keys

5 External Database Encryption
12/6/2018 How To Protect Keys

6 Sample Implementation
12/6/2018 How To Protect Keys

7 Weak Point Traditional approach vs. RSA approach You may notice:
RSA approach did NOT yet solve the problem of the exposure of the keys and sensitive data thoroughly. It moves the weak point from the server application (ProcessLogin) to the CryptoServer. 12/6/2018 How To Protect Keys

8 nCipher Approach nCipher approach is to provide Hardware security modules (HSMs) with software to control key management. nCipher also developed a new system called Secure Execution Engine (SEE), which can protect application software as it’s executed by allowing the sensitive code being executed inside the HSMs. 12/6/2018 How To Protect Keys

9 12/6/2018 How To Protect Keys

10 Secure Key Storage The keys can only be used inside the HSMs, so that strong security perimeter is provided. However, it’s not good idea to store keys inside HSM: HSM is attacked, keys are destroyed the number of keys which can be created, used and stored is restricted by the capacity of storage built into HSM unit HSM’s module key is often pre-installed and known to the HSM manufacturer, so the chain of trust is not entirely under the control of the HSM administrator. 12/6/2018 How To Protect Keys

11 Key Backup & Recovery Key backup and recovery should be implemented in a consistently secure manner. Basic concepts of protecting stored keys: Strong encryption: triple-DES Fragmentation of keys: ‘k of n’ key fragments ACL: a list of operation associated with each key 12/6/2018 How To Protect Keys

12 Key Backup & Recovery cont.
12/6/2018 How To Protect Keys

13 Key Backup & Recovery cont.
Steps of creating ‘key blob’: The target key is encrypted using Triple-DES encryption. Its ACL is also, separately, encrypted. The key and ACL are encrypted together and the result is signed with a wrapper key (module key), to form blob. A Message Authentication Code (MAC) is stored with the key blob, ensuring that tampering is detectable. The wrapper key in turn is associated with another ACL, which determines who can access it. 12/6/2018 How To Protect Keys

14 Key Backup & Recovery cont.
If required, key fragments can each be wrapped with their own access control mechanisms. Now, encrypted key blob can be exported and stored server storage; also key fragments can be stored separately so that k smart cards out of a total set n are required to access the key. 12/6/2018 How To Protect Keys

15 Access To Key Blob 12/6/2018 How To Protect Keys

16 Access To Key Blob cont. Access to key blobs is physically controlled:
Smart cards must be presented in order to load the key blob into the HSM and unwrap it for decryption; Knowing the key blob is not sufficient to recover the original key object by itself, since any key stored on physical tokens is encrypted with the module key and module keys are held securely within the HSM. Instead of just encrypting keys with the module key, the HSM can combine the module key with a phrase supplied by the user, so that it significantly improves the weak point on the chain of the trust we mentioned earlier. 12/6/2018 How To Protect Keys

17 Sample Implementation
12/6/2018 How To Protect Keys

18 Extension nCipher’s SEE technology enable the code to perform security functions inside the HSMs. 12/6/2018 How To Protect Keys

19 Sample Implementation
12/6/2018 How To Protect Keys

20 Benefits Non-hierarchical key management Initialization key uniqueness
the administrator card set the operator card set(s) Initialization key uniqueness the module key is not known outside the HSM and remains valid until the module is reinitialized Scalability It’s possible to share module keys across a series of HSMs 12/6/2018 How To Protect Keys

21 Conclusion RSA approach is a software-only solution, so it’s easier to use. nCipher approach may be more secure than the RSA approach, and it takes one more step further to protect the sensitive code, but it’s obviously more complicated. 12/6/2018 How To Protect Keys

22 References Securing Data At Rest: Developing a Database Encryption Strategy nCipher Security World white paper Secure Execution Engine white paper 12/6/2018 How To Protect Keys

Download ppt "Student: Ying Hong Course: Database Security Instructor: Dr. Yang"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.

Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
RBNetERP or Enterprise Resource Planning is a software that allows companies to integrate all their operations and resources and manage them through one.

RBNetERP or Enterprise Resource Planning is a software that allows companies to integrate all their operations and resources and manage them through one.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
Introduction: Databases and Database Users

Introduction: Databases and Database Users
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.

1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.

Similar presentations

Ads by Google