Encrypting Data - CompTIA Security+ SY0-701 - 1.4
Summary
TLDRThe video script discusses the importance of encrypting data at rest, including full disk encryption with tools like BitLocker and FileVault, and file-level encryption with EFS. It also covers database encryption, highlighting the balance between security and accessibility, and the use of HTTPS, VPNs, and IPsec for secure data transmission. The script emphasizes the necessity of using compatible encryption algorithms for successful encryption and decryption, and the evolution of key lengths to counter brute force attacks. It concludes with the concept of key stretching to enhance security.
Takeaways
- 🔒 Data encryption is essential for protecting data at rest on storage devices like SSDs and hard drives.
- 💻 Operating systems like Windows and Mac OS offer built-in encryption solutions such as BitLocker and FileVault, respectively.
- 🗂️ Encrypting individual files can be done using EFS in Windows or third-party utilities in other operating systems.
- 🔑 Databases can be protected using techniques like transparent encryption with symmetric keys.
- 📊 Column-level encryption in databases allows for quick searches while keeping sensitive data encrypted.
- 🌐 Data transmission security is ensured through protocols like HTTPS and VPNs, which create encrypted tunnels for data transfer.
- 🔑 Encryption and decryption require the use of compatible algorithms agreed upon by both communicating parties.
- 🔑 The security of encryption relies on the secrecy of the key, not the algorithm itself, which is often public knowledge.
- 🔑 Brute force attacks can be mitigated by using long keys and key stretching techniques.
- 🔑 Asymmetric encryption, involving complex mathematics with large prime numbers, also requires long keys to prevent brute force attacks.
- 🛡️ Security administrators need to understand user requirements to ensure the use of appropriate encryption algorithms for data protection.
Q & A
What is meant by 'encrypting data at rest'?
-Encrypting data at rest refers to the process of securing data that is stored on a storage device, such as an SSD or hard drive, by converting it into an unreadable format until it is decrypted. This includes encrypting individual files or using full disk or volume level encryption.
Which tools are commonly used for encrypting data on Windows and Mac operating systems?
-On Windows, BitLocker is used for encrypting data, while on Mac OS, FileVault is the tool of choice. These tools provide full disk or volume level encryption.
What is EFS and how is it used in Windows?
-EFS stands for Encrypting File System. It is a file-level encryption feature built into the NTFS file system in Windows. Users can enable EFS by selecting 'Encrypt contents to secure data' in the Advanced Attributes of a file or folder's properties.
Can third-party utilities perform file encryption on Mac OS, Linux, or Windows?
-Yes, there are many third-party utilities available that can perform file encryption on these operating systems, offering similar functionality to Windows' EFS.
What is transparent encryption and how does it work?
-Transparent encryption is a technique used to protect data within database files by encrypting all the data using a symmetric key. This means that data is automatically encrypted and decrypted each time it is accessed from the database.
Why might some data in a database be left unencrypted?
-Some data in a database might not be private or sensitive, and therefore, it may be left unencrypted to avoid unnecessary overhead. This allows for faster access to non-sensitive data without the need for decryption.
What is column-level encryption and how does it help in reducing decryption overhead?
-Column-level encryption is a method where only certain columns of a database table are encrypted, while others are left in plain text. This allows for quick searches and access to non-sensitive data without the need to decrypt the entire database or table.
Why is HTTPS used for secure communication in web browsers?
-HTTPS, which stands for Hypertext Transfer Protocol Secure, is used to encrypt the communication between a web browser and a website. This ensures that any data transmitted is protected and cannot be easily intercepted or understood by unauthorized parties.
What is a VPN and how does it provide encryption for network communication?
-A VPN, or Virtual Private Network, creates an encrypted tunnel for data transmission between two points. It ensures that all information sent through the tunnel is encrypted, providing a secure means of communication over potentially insecure networks.
What is the importance of using the same encryption algorithm on both sides of a communication?
-Using the same encryption algorithm on both sides ensures compatibility and allows for successful encryption and decryption of data. Without agreement on the algorithm, the data cannot be properly secured or understood by the receiving party.
Why are encryption algorithms usually public, and what makes them secure?
-Encryption algorithms are public so that their processes and mathematics can be scrutinized and trusted. The security of these algorithms lies in the secrecy of the key used, not in the algorithm itself. Without the key, even with knowledge of the algorithm, data cannot be decrypted.
What is key stretching and how does it enhance security?
-Key stretching is the process of performing the encryption multiple times on the same data using the same key. This adds an additional layer of security by requiring an attacker to decrypt multiple times to determine if their brute force attack was successful.
How does the length of encryption keys affect security and resistance to brute force attacks?
-Longer keys make brute force attacks more difficult and time-consuming. A symmetric key of 128 bits or larger is considered secure, but as computational power increases, the length of keys may be extended to maintain security against brute force attacks.
Outlines
🔒 Data Encryption Essentials
This paragraph discusses the importance of encrypting data at rest, which includes individual files and full disk or volume level encryption. It highlights the use of BitLocker for Windows and FileVault for Mac OS, as well as third-party utilities for other operating systems. The paragraph also touches on file-level encryption with EFS in Windows and the concept of transparent encryption for databases, where only certain columns or rows are encrypted to balance security with accessibility. It concludes with an example of encrypting an employee database, emphasizing the trade-off between security and the overhead of decrypting data for searches.
🔑 Encryption Algorithms and Key Management
This paragraph delves into the specifics of encryption and decryption algorithms, emphasizing the need for both parties in a communication to use compatible algorithms. It provides a comparison between DES and AES, illustrating their structural differences and output levels. The paragraph underscores that while encryption algorithms are publicly known and trusted, the security lies in the secrecy of the keys used. It also discusses the concept of key stretching as a method to enhance security against brute force attacks, suggesting that longer keys and multiple encryption iterations can significantly increase the difficulty for attackers to decrypt data.
Mindmap
Keywords
💡Encryption
💡Data at Rest
💡BitLocker
💡FileVault
💡Encrypting File System (EFS)
💡Database Encryption
💡Column Level Encryption
💡HTTPS
💡Virtual Private Network (VPN)
💡IPsec
💡Symmetric Key
💡Asymmetric Key
💡Key Stretching
Highlights
Encrypting data at rest is crucial for protecting data stored on SSDs, hard drives, and other storage devices.
Full disk or volume level encryption can be achieved using BitLocker on Windows and FileVault on Mac OS.
Encrypting File System (EFS) in Windows and third-party utilities can encrypt individual files on various operating systems.
Configuring transparent encryption with a symmetric key can protect data within database files.
Column-level encryption allows quick searches while keeping sensitive data like Social Security numbers encrypted.
HTTPS encrypts data in transit, protecting information sent between a browser and a server.
Virtual Private Networks (VPNs) create encrypted tunnels for secure data transmission across networks.
IPsec is commonly used for site-to-site VPNs to provide secure connectivity.
Both parties in a communication must use compatible encryption and decryption algorithms for successful data exchange.
Security administrators should select appropriate encryption algorithms based on user requirements and security levels.
DES and AES are examples of encryption algorithms with different processes and security levels.
Encryption algorithms are public, but the security relies on the secrecy of the encryption keys.
The strength of encryption can be increased by using long keys and key stretching techniques.
Asymmetric encryption involves complex mathematics with large prime numbers, still susceptible to brute force attacks.
Key length may need to be increased over time to counteract advancements in computational power.
Key stretching, such as hashing a password multiple times, adds security against brute force attacks.
The importance of keeping private keys secure is emphasized, as they are crucial for data access and security.
Transcripts
If you need to protect data that you're
storing on an SSD, a hard drive, or any other type of storage
device, then you'll need to work on encrypting
all of this stored data.
Sometimes you'll hear this referred to as encrypting data
at rest.
This includes not just individual files
that you might have on these storage devices,
but in some cases, everything that's on the storage device
is using full disk or volume level encryption.
In the Windows operating system, you
may be using BitLocker to accomplish this.
If you're using Mac OS, you may be
using FileVault. And other operating
systems have other ways for encrypting everything
on a single volume.
You might also need to encrypt a single file that
is on a system and not the entire volume.
In Windows, you can use EFS.
That stands for the Encrypting File System.
It's a file level encryption that's built into the NTFS file
system.
And if you're using Mac OS, Linux, or even Windows,
there are many third party utilities that
can perform a similar function.
In Windows, you would look at the properties
of a file or folder.
And inside the Advanced Attributes,
you can select, Encrypt contents to secure data to enable EFS.
A lot of the data that we use online is stored in a database.
And of course, there are different techniques
to be able to protect the data that's
inside of these database files.
For example, you may be able to configure
transparent encryption.
This uses a symmetric key to encrypt everything
that might be in that database.
And you would need to perform an encryption or decryption
of that data each time the information
is pulled from the database.
Some of the information in your database
might not be private or sensitive.
So you might have some data inside
of the database that is protected or encrypted
and other data, which is still available in plain text.
Here's an example of a table inside of a database.
This is an employee database that
has employee ID numbers, first names, last names, and Social
Security numbers.
Of course, you could encrypt the entire database
by applying a symmetric key so that all of this data
is now encrypted.
And you can see, we have no idea what part of this
may have anything to do with an employee's name, their ID
number, or their Social Security number.
But of course, there's overhead involved
in being able to view this information.
And every time we need to search through the entire database,
we would effectively need to decrypt all of the data
within that single database.
One way to avoid some of that overhead
is to only encrypt a certain type of data in the database.
In this example, we're performing column level
encryption, where the employee ID, the first name,
and the last name are all displayed in plain text.
And if you needed to search for a name or search for an ID,
you can perform this very quickly
without having to decrypt any other type of data.
But if you needed access to a person's Social Security
number, you would either need to decrypt
the entire column or that single record
to be able to gain access to that data.
Another common place to perform this encryption
is when we're sending data across the network.
We want to be sure that everything
we're sending between two devices is protected.
And if someone does tap into this connection
and view that data, they wouldn't
be able to make sense of any of those details.
For example, you're probably using a browser right now
to watch this video.
And all of the communication that's
taking place in your browser is most likely
using HTTPS, which means that everything traversing
the network is encrypted.
If you need to connect different sites to each other
or need to connect individuals for remote access,
we commonly would use a VPN to provide this encryption.
This stands for Virtual Private Network.
And it effectively creates an encrypted tunnel,
where you can send all information into the tunnel
to the other side.
And anything within that tunnel is going to be encrypted.
This is commonly used with client
based VPNs using SSL or TLS.
And if you're connecting two sites together,
we commonly will use IPsec to provide that VPN connectivity.
To be able to have a successful encryption and decryption,
both sides must be using the same encryption algorithms.
This is the formula that's used to not only provide
the encryption process, but it also
provides you with the way to decrypt
that data on the other side.
Generally, both sides would agree from the very beginning,
to use one or more encryption algorithms
so that both sides know exactly what to expect when information
is received.
Many times, the end user doesn't see
the details of the algorithms that are being used.
But they know that they're using a particular application.
And they want to be sure the person on the other side
is using a similar application so
that the encryption and decryption
processes will be compatible.
There are obviously advantages and disadvantages,
depending on what encryption algorithm you're using.
Some algorithms have a better security level,
some work faster than others, some
have a more complex method for implementation.
But once both sides agrees on the application that
will be used for encryption and decryption,
everything else generally takes care of itself automatically.
Usually, the security administrator
will have a pretty good idea of what the requirements are
for the users.
And they'll make sure that the proper encryption
algorithms are used.
Here's a good example of why it's
so important that both parties in a conversation
are using the same encryption algorithm.
These are very broad comparisons between the DES encryption
algorithm and the AES encryption algorithm.
They stand for the Data Encryption
Standard and the Advanced Encryption Standard.
You do not need to know the specifics of these block
diagrams for the Security+ exam.
But you can visually see that there
are quite a few differences between both
of these algorithms.
The DES encryption algorithm has five different steps,
which include breaking up the data into a left plaintext
and right plaintext to finally come up
with a 64-bit cipher text.
You can see that AES works a little bit differently,
where you take a plain text and a secret key,
add it to a cipher, and finally get the ciphertext.
There are also different versions of AES
that can produce different levels of output.
You obviously would not be able to encrypt with DES
and somehow decrypt with AES.
You have to be sure that you're using compatible encryption
and decryption algorithms on both sides of the conversation.
Here's another interesting part about encryption algorithms,
is we know exactly how they work.
The algorithms themselves are usually public.
You can read the code or look through the math
and see exactly the process that occurs.
The algorithm is usually a very well-known thing.
In fact, it makes the algorithm more trustworthy,
because we can see the math and the process that's
used to create the encryption.
The one major piece of information that we don't have
is the key.
And although we know how the algorithm works,
we still are not able to reverse engineer anything
unless we have that key.
This is very similar to the way that a door lock operates.
We know how door locks work.
We know how to manufacture door locks.
We know what happens inside of a door
lock when you put a key in.
But just knowing that information
doesn't somehow allow you access through a locked door.
You have to have the proper key, just as you do
with encryption and decryption.
That key helps determine the final output.
If you're encrypting data or hashing data
or creating a digital signature, it's all based around that key.
And even though we have the algorithm
and understand everything about the math,
you still need the key to be able to gain access
to the data.
This is why we always tell you to keep
those private keys private.
If somebody gains access to your key,
they're able to use it on your door lock.
And now, they have access to all of your data.
Like anything else, your encryption and decryption keys
are subject to brute force attacks, which
means that an attacker could go through every possible
permeation to be able to determine
what a public or private key might be.
We can effectively prevent these brute force attacks
from being successful by creating a very, very long key.
In the world of encryption, a symmetric key
of 128 bits or larger would be very common
and today, would be very protected.
As time goes on and our processors become more powerful
and we're able to tie many different processors together,
we may increase the size of our keys
to make them that much more difficult to brute force.
This extension of the key lengths
also applies to asymmetric encryption as well.
Even though an asymmetric key involves complex mathematics
surrounding very large prime numbers,
an attacker can still performed with brute force.
And it's not uncommon to see asymmetric keys that
have a key length of 3072 bits or even larger.
This means as time goes on, we may
have to create larger and larger keys, just
to keep up with the changes in technology.
But there are some other things we
can do to make our existing keys that much more secure.
And one of the ways to do that is
to perform the encryption process multiple times
on a single type of data.
For example, you may want to hash a password,
then hash the hash of that password,
then hash the hash of the hash of that password, and so on.
This is referred to as key stretching
or key strengthening.
This means if someone wanted to brute force
some data that's been encrypted multiple times using
this key stretching method, that they would need
to decrypt multiple times to see if their brute force was
successful.
And this adds an additional overhead,
and certainly would create more time during the brute force
process.
5.0 / 5 (0 votes)