SE10

IBM Power Systems Technical University
October 1822, 2010 Las Vegas, NV
Session Title: Understanding Basic Encryption Concepts and AIX !"#s Encrypted $ile System Session I%: SE"&'AIX(
Speaker Name: Stephen Dominguez
10/06/10
2010 IBM Corporation
IBM Lab Service an! "raining
Intro to Cr&ptograph&
Cryptography is the practice and st*dy o+ hiding in+ormation Used to ,scram-le. yo*r +iles Used to prove who yo*r are Used to alert yo* i+ the contents o+ a +ile have -een changed /eri+y the identity o+ the person who sent yo* a message 0eep online comm*nications sa+e and sec*re
$%ecutive Summar& o' (I) *+1 $,S
10-0*-10
200# IBM Corporation
.hat i /0ainte%t1
The message in its nat*ral +ormat! Plainte2t is reada-le to an attac3er Also re+erred to as ,clearte2t.
10-0*-10
.hat i Cipherte%t1
A message altered5 so as to -e *nreada-le +or anyone e2cept the intended recipients An attac3er seeing cipherte2t wo*ld -e *na-le to read the message Also re+erred to as ,cryptogram.
10-0*-10
.hat i $ncr&ption
The process o+ converting a message +rom its plainte2t to cipher te2t thro*gh the *se o+ a cryptogrphic algorithm and 3ey Also re+erred to as enciphering
10-0*-10
.hat i Decr&ption1
The process o+ converting a cipherte2t message into plainte2t thro*gh the *se o+ the cryptographic algorithm and 3ey that was *sed to do the original encryption Term also re+erred to as deciphering
10-0*-10
.hat i a Cr&ptographic (0gorithm1

A step8-y8step process 'mathematical +*nction( that is *sed in the encryption and decryption process! Can -e e2tremely simple to e2tremely comple2 Also re+erred to as ,cipher.
10-0*-10
10-0*-10
Simp0e $ncr&ption-Decr&ption $%amp0e

Consider an algorithm that ta3es English alpha-etic characters and encrypts -y s*-stit*ting with a character n characters to the right within the alpha-et The decryption wo*ld involve ta3ing the cipher te2t and moving it n characters to the le+t within the alpha-et All characters are *pper case Moving to the right past ; wo*ld start at the -eginning o+ the alpha-et Moving to the le+t past A wo*ld start at the end o+ the alpha-et
10-0*-10
2 ing thi cipher an! a ke& o' 13 4hat i the cipher te%t 'or: AB ;;
"&
10-0*-10
2 ing thi cipher an! a ke& o' 13 4hat i the p0ainte%t 'or: %E AB
""
10-0*-10
2 ing thi cipher an! a ke& o' 13 4hat i the cipher te%t 'or: IBM <AS/E=AS
")
10-0*-10
(NS.$5S:
>C? MBT@%ABT
"1
10-0*-10
2 ing thi cipher an! a ke& o' 13 4hat i the p0ainte%t 'or: =/B AB?CM$
"4
10-0*-10
(NS.$5S:
$U? =AMB<E
"6
10-0*-10
.hat i a Cr&ptographic 6a h1
A 3ind o+ signat*re +or a stream o+ data Also called digest5 or in+ormally5 ,chec3s*m. All streams o+ data yield hashes o+ the same length This di++ers +rom encryption C decryption! Aashes are one8way5 ie5 yo* can#t ta3e a hash and determine the stream o+ data MaDor elements: stream o+ data5 hash +*nction5 and hash
"
10-0*-10
.hat are cr&ptographic ha he u e! 'or1

/eri+ying +ile integrity Aashing passwords %igitally signed doc*ments
"7
10-0*-10
"9
10-0*-10
S&mmetric Cr&ptograph&
Type o+ cryptography in which the 3ey +or encryption and decryption is the same Pro: =ood +or encrypting large amo*nts o+ data Pro: Comp*tationally +ast Pro: Aard to -rea3 i+ large 3ey *sed Pro: M*ch +aster than asymmetric cryptography Con: EeF*ires sec*re mechanism +or delivering 3eys Con: Each pair needs to -e *niF*e5 so the more *sers the more 3eys needed
":
10-0*-10
( &mmetric Cr&ptograph&
Cryptography in which a pair o+ di++erent 3eys are *sed to encrypt and decrypt! The 3eys are mathematically related! Ee+erred to as p*-lic 3ey systems The p*-lic 3ey may -e 3nown -y everyone Bnly the owner sho*ld 3now the private 3ey The private and p*-lic 3ey can#t encrypt and decrypt a message witho*t the other!
)&
10-0*-10
/ro o' ( &mmetric Cr&ptograph&

Better 3ey distri-*tion than symmetric systems Better scala-ility than symmetric systems Can provide a*thentication and nonrep*diation
)"
10-0*-10
Con o' ( &mmetric Cr&ptograph&

@or3s m*ch more slowly than symmetric systems Mathematically intensive tas3s ?ot good +or encrypting large amo*nts o+ data
))
10-0*-10
Digita0 Signature
This is a message#s hash val*e that has -een encrypted with the sender#s private 3ey The act o+ signing means encrypting the message#s hash val*e with the sender#s private 3ey Provide +or ens*ring the integrity o+ messages Provides +or a*thentication and nonrep*diation
)1
10-0*-10
)4
10-0*-10
)6
10-0*-10
$,S Ba ic
E$S +iles are stored on dis3 in encrypted +orm @hen +iles are loaded into memory they are decrypted $iles in memory are in clear te2t $iles moved +rom memory to dis3 will -e encrypted
10-0*-10
(I) *+1 $ncr&pte! ,i0e S& tem 7$,S8

AIX +eat*re that provides >$S) +ile encryption %one at +ile level gran*larity G each +ile can -e encrypted separately5 with its own +ile encryption and 3eys %i++erent types o+ encryption can -e con+ig*red
)7
10-0*-10
(cce
Contro0 Imp0ication
Adds an additional layer o+ access %AC is still en+orced on the +iles AC<s are still en+orced %AC and AC<s are +irst chec3ed -e+ore E$S 3eys are chec3ed
)9
10-0*-10
/rere9ui ite 'or Creating $,S:enab0e! ,i0e S& tem Crypto<ite in C 'CliC( +ilesets m*st -e installed EBAC m*st -e ena-led The partition m*st -e E$S8ena-led
):
10-0*-10
Inter'ace
upporte!
Command line SMIT
1&
10-0*-10
Ba ic option 'or $,S ,i0e S& tem

Create one +rom Scratch Convert an e2isting >$S) $ile System 'e2cept +or H5 H*sr5 Hvar5 and Hopt(
1"
10-0*-10
Ba ic operation 'or $,S:enab0e! ,i0e S& tem

Mo*nting the +ile system Unmo*nting the +ile system Increasing and decreasing +iles system siIe %e+ragmenting the +ile system Eemoving the +ile system E2ception: ?$S not s*pportedHpossi-le with E$S +ile systems
1)
10-0*-10
$ncr&ption ;ption 'or $,S:enab0e! ,i0e S& tem

Individ*ally and man*ally encrypt +iles 'E$S inheritance not *sed( Aave all +iles a*tomatically encrypted when +iles created in the +ile system 'E$S inheritance is ena-led( Aave speci+ic directories within the E$S8ena-led +ile system that only have inheritance ena-led
11
10-0*-10
6o4 !oe a u er acce
$,S:enab0e! 'i0e
User logs onto a partition User opens his 3eystore User can then access E$S8ena-led +iles that he has %AC access to and that the +ile has 3eys +or him
14
10-0*-10
$,S (!vantage over <r! /art& $ncr&ption /ro!uct

?ormally completely transparent to general *sers <ess transparent to Administrators $ile level gran*larity instead o+ vol*me level 'increased sec*rity and encryption implementation +le2i-ility( Provides a mode to protect against a malicio*s root *ser Encrypted +ile access de+ined *sing 3eys -ased *pon e2isting *serH gro*ps Uses +le2i-le AES symmetric encryption +or +ile encryption and decryption Uses +le2i-le ESA asymmetric encryption to protect the symmetric 3eys *sed to decrypt and encrypt +ile data! Pre8e2isting related AIX +ile command are ,E$S8aware.
16
10-0*-10
,i0e $ncr&ption (0gorithm ;ption :

AESJ")9JCBC AESJ")9JECB AESJ":)JCBC AESJ":)JECB AESJ)6 JCBC AESJ)6 JECB
10-0*-10
2n!er tan!ing (0gorithm ;ption

Increased 3ey length provides more sec*rity -*t will reF*ire more CPU reso*rces ECB5 Electronic Code Boo35 is good when the data is random in nat*re CBC5 Cipher Bloc3 Chaining5 is good +or data that is not random! CBC has a ris3: This type o+ encryption is done -y -loc3s5 and the encryption o+ s*-seF*ent -loc3s depends on previo*s -loc3s! There+ore i+ encrypted or non8encrypted -loc3s get corr*pted5 the corr*ption will a++ect all remaining s*-seF*ent -loc3s!
17
10-0*-10
=e& tore $ncr&ption (0gorithm ;ption

ESAJ"&)4 ESAJ)&49 ESAJ4&:
19
10-0*-10
=e& tore $ncr&ption (0gorithm ;ption

The 3eys that encrypt and decrypt are themselves encrypted! They are protected -y asymmetric encryption <arger 3ey lengths provide more sec*rity -*t need more CPU reso*rces
1:
10-0*-10
$,S $ncr&ption Inheritance

A+ter an E$S +ile system is created yo* may activate this There are ) levels: +ile system and directory %irectory will ta3e precedence over +ile system inheritance Bnce activated5 any +ile created in the +ile system or the directory will -e a*tomatically encrypted
4&
10-0*-10
$,S /er'ormance Con i!eration

$iles on dis3 are encrypted @hen +iles are placed in memory the +iles are decrypted and placed as clear te2t +iles in memory $iles in memory stay in plain te2t *ntil they need to -e stored -ac3 to dis3 Bnce +iles are in memory there is no penalty that E$S adds to the per+ormance o+ the system Each +ile can -e con+ig*red with a speci+ic encryption type Best per+ormance can -e acF*ired -y *sing smaller 3ey lengths and ECB encryption5 -*t this will lessen the degree o+ encryption sec*rity in most cases!
4"
10-0*-10
5e'erence
@i3ipedia Cryptography +or %*mmies G Chey Co- CISSP All8in8Bne E2am =*ide5 6th Edition5 -y Shon Aarris AIX / Advanced Sec*rity $eat*res G Introd*ction and Con+ig*ration B++icial 'ISC() =*ide to the CISSP CB0 )nd Edition G Aarold $! Tipton
4)
10-0*-10
"he $ND
I+ yo* wo*ld li3e IBM <a- Services to provide assistance with implementing E$S5 please contact me5 Stephen %oming*eI5 at sdomingK*s!i-m!com
41
10-0*-10

SE10

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SE10

Hochgeladen von

Copyright:

Verfügbare Formate

IBM Power Systems Technical University

October 1822, 2010 Las Vegas, NV

2010 IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

.hat i a Cr&ptographic (0gorithm1

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

Simp0e $ncr&ption-Decr&ption $%amp0e

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

.hat are cr&ptographic ha he u e! 'or1

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining

$%ecutive Summar& o' (I) *+1 $,S

200# IBM Corporation

IBM Lab Service an! "raining