Encrypting Data - CompTIA Security+ SY0-701 - 1.4

00:01

If you need to protect data that you're

00:03

storing on an SSD, a hard drive, or any other type of storage

00:07

device, then you'll need to work on encrypting

00:10

all of this stored data.

00:11

Sometimes you'll hear this referred to as encrypting data

00:14

at rest.

00:15

This includes not just individual files

00:17

that you might have on these storage devices,

00:19

but in some cases, everything that's on the storage device

00:23

is using full disk or volume level encryption.

00:26

In the Windows operating system, you

00:28

may be using BitLocker to accomplish this.

00:30

If you're using Mac OS, you may be

00:32

using FileVault. And other operating

00:35

systems have other ways for encrypting everything

00:38

on a single volume.

00:39

You might also need to encrypt a single file that

00:42

is on a system and not the entire volume.

00:44

In Windows, you can use EFS.

00:46

That stands for the Encrypting File System.

00:49

It's a file level encryption that's built into the NTFS file

00:53

system.

00:53

And if you're using Mac OS, Linux, or even Windows,

00:57

there are many third party utilities that

00:59

can perform a similar function.

01:01

In Windows, you would look at the properties

01:03

of a file or folder.

01:04

And inside the Advanced Attributes,

01:06

you can select, Encrypt contents to secure data to enable EFS.

01:12

A lot of the data that we use online is stored in a database.

01:15

And of course, there are different techniques

01:18

to be able to protect the data that's

01:20

inside of these database files.

01:22

For example, you may be able to configure

01:25

transparent encryption.

01:26

This uses a symmetric key to encrypt everything

01:29

that might be in that database.

01:31

And you would need to perform an encryption or decryption

01:34

of that data each time the information

01:36

is pulled from the database.

01:38

Some of the information in your database

01:40

might not be private or sensitive.

01:42

So you might have some data inside

01:44

of the database that is protected or encrypted

01:47

and other data, which is still available in plain text.

01:50

Here's an example of a table inside of a database.

01:54

This is an employee database that

01:56

has employee ID numbers, first names, last names, and Social

02:00

Security numbers.

02:02

Of course, you could encrypt the entire database

02:05

by applying a symmetric key so that all of this data

02:08

is now encrypted.

02:09

And you can see, we have no idea what part of this

02:13

may have anything to do with an employee's name, their ID

02:16

number, or their Social Security number.

02:19

But of course, there's overhead involved

02:21

in being able to view this information.

02:23

And every time we need to search through the entire database,

02:26

we would effectively need to decrypt all of the data

02:29

within that single database.

02:31

One way to avoid some of that overhead

02:33

is to only encrypt a certain type of data in the database.

02:37

In this example, we're performing column level

02:39

encryption, where the employee ID, the first name,

02:42

and the last name are all displayed in plain text.

02:46

And if you needed to search for a name or search for an ID,

02:49

you can perform this very quickly

02:50

without having to decrypt any other type of data.

02:53

But if you needed access to a person's Social Security

02:56

number, you would either need to decrypt

02:58

the entire column or that single record

03:00

to be able to gain access to that data.

03:03

Another common place to perform this encryption

03:06

is when we're sending data across the network.

03:08

We want to be sure that everything

03:10

we're sending between two devices is protected.

03:12

And if someone does tap into this connection

03:14

and view that data, they wouldn't

03:16

be able to make sense of any of those details.

03:19

For example, you're probably using a browser right now

03:21

to watch this video.

03:22

And all of the communication that's

03:24

taking place in your browser is most likely

03:26

using HTTPS, which means that everything traversing

03:29

the network is encrypted.

03:31

If you need to connect different sites to each other

03:34

or need to connect individuals for remote access,

03:36

we commonly would use a VPN to provide this encryption.

03:40

This stands for Virtual Private Network.

03:42

And it effectively creates an encrypted tunnel,

03:45

where you can send all information into the tunnel

03:47

to the other side.

03:48

And anything within that tunnel is going to be encrypted.

03:51

This is commonly used with client

03:53

based VPNs using SSL or TLS.

03:56

And if you're connecting two sites together,

03:58

we commonly will use IPsec to provide that VPN connectivity.

04:03

To be able to have a successful encryption and decryption,

04:07

both sides must be using the same encryption algorithms.

04:11

This is the formula that's used to not only provide

04:14

the encryption process, but it also

04:16

provides you with the way to decrypt

04:18

that data on the other side.

04:20

Generally, both sides would agree from the very beginning,

04:23

to use one or more encryption algorithms

04:26

so that both sides know exactly what to expect when information

04:30

is received.

04:31

Many times, the end user doesn't see

04:33

the details of the algorithms that are being used.

04:36

But they know that they're using a particular application.

04:39

And they want to be sure the person on the other side

04:41

is using a similar application so

04:43

that the encryption and decryption

04:45

processes will be compatible.

04:47

There are obviously advantages and disadvantages,

04:49

depending on what encryption algorithm you're using.

04:52

Some algorithms have a better security level,

04:55

some work faster than others, some

04:57

have a more complex method for implementation.

05:00

But once both sides agrees on the application that

05:03

will be used for encryption and decryption,

05:05

everything else generally takes care of itself automatically.

05:09

Usually, the security administrator

05:11

will have a pretty good idea of what the requirements are

05:14

for the users.

05:15

And they'll make sure that the proper encryption

05:17

algorithms are used.

05:19

Here's a good example of why it's

05:20

so important that both parties in a conversation

05:22

are using the same encryption algorithm.

05:25

These are very broad comparisons between the DES encryption

05:28

algorithm and the AES encryption algorithm.

05:32

They stand for the Data Encryption

05:33

Standard and the Advanced Encryption Standard.

05:36

You do not need to know the specifics of these block

05:39

diagrams for the Security+ exam.

05:41

But you can visually see that there

05:44

are quite a few differences between both

05:46

of these algorithms.

05:47

The DES encryption algorithm has five different steps,

05:50

which include breaking up the data into a left plaintext

05:53

and right plaintext to finally come up

05:55

with a 64-bit cipher text.

05:57

You can see that AES works a little bit differently,

06:00

where you take a plain text and a secret key,

06:02

add it to a cipher, and finally get the ciphertext.

06:05

There are also different versions of AES

06:07

that can produce different levels of output.

06:10

You obviously would not be able to encrypt with DES

06:13

and somehow decrypt with AES.

06:16

You have to be sure that you're using compatible encryption

06:19

and decryption algorithms on both sides of the conversation.

06:23

Here's another interesting part about encryption algorithms,

06:26

is we know exactly how they work.

06:28

The algorithms themselves are usually public.

06:31

You can read the code or look through the math

06:33

and see exactly the process that occurs.

06:35

The algorithm is usually a very well-known thing.

06:39

In fact, it makes the algorithm more trustworthy,

06:41

because we can see the math and the process that's

06:44

used to create the encryption.

06:45

The one major piece of information that we don't have

06:48

is the key.

06:49

And although we know how the algorithm works,

06:52

we still are not able to reverse engineer anything

06:55

unless we have that key.

06:57

This is very similar to the way that a door lock operates.

07:00

We know how door locks work.

07:02

We know how to manufacture door locks.

07:05

We know what happens inside of a door

07:06

lock when you put a key in.

07:08

But just knowing that information

07:10

doesn't somehow allow you access through a locked door.

07:13

You have to have the proper key, just as you do

07:16

with encryption and decryption.

07:19

That key helps determine the final output.

07:21

If you're encrypting data or hashing data

07:24

or creating a digital signature, it's all based around that key.

07:28

And even though we have the algorithm

07:30

and understand everything about the math,

07:32

you still need the key to be able to gain access

07:34

to the data.

07:35

This is why we always tell you to keep

07:37

those private keys private.

07:39

If somebody gains access to your key,

07:41

they're able to use it on your door lock.

07:43

And now, they have access to all of your data.

07:46

Like anything else, your encryption and decryption keys

07:49

are subject to brute force attacks, which

07:52

means that an attacker could go through every possible

07:55

permeation to be able to determine

07:57

what a public or private key might be.

07:59

We can effectively prevent these brute force attacks

08:02

from being successful by creating a very, very long key.

08:06

In the world of encryption, a symmetric key

08:09

of 128 bits or larger would be very common

08:12

and today, would be very protected.

08:14

As time goes on and our processors become more powerful

08:17

and we're able to tie many different processors together,

08:20

we may increase the size of our keys

08:23

to make them that much more difficult to brute force.

08:26

This extension of the key lengths

08:28

also applies to asymmetric encryption as well.

08:31

Even though an asymmetric key involves complex mathematics

08:34

surrounding very large prime numbers,

08:36

an attacker can still performed with brute force.

08:39

And it's not uncommon to see asymmetric keys that

08:41

have a key length of 3072 bits or even larger.

08:46

This means as time goes on, we may

08:48

have to create larger and larger keys, just

08:51

to keep up with the changes in technology.

08:53

But there are some other things we

08:55

can do to make our existing keys that much more secure.

08:59

And one of the ways to do that is

09:00

to perform the encryption process multiple times

09:04

on a single type of data.

09:06

For example, you may want to hash a password,

09:08

then hash the hash of that password,

09:11

then hash the hash of the hash of that password, and so on.

09:14

This is referred to as key stretching

09:17

or key strengthening.

09:18

This means if someone wanted to brute force

09:21

some data that's been encrypted multiple times using

09:23

this key stretching method, that they would need

09:26

to decrypt multiple times to see if their brute force was

09:30

successful.

09:31

And this adds an additional overhead,

09:33

and certainly would create more time during the brute force

09:36

process.