Encryption Technologies - CompTIA Security+ SY0-701 - 1.4

00:01

If you were to look on a modern motherboard,

00:03

you would find a chip or a subsystem called a Trusted

00:06

Platform Module, or a TPM.

00:09

This is a standardized bit of hardware

00:11

that is specifically designed to provide cryptographic functions

00:14

for that computer.

00:16

If you want to do anything with cryptography,

00:18

such as generating random numbers or keys,

00:21

you can do that by using the TPM.

00:23

The TPM also has persistent memory,

00:26

so you can have keys that have been created and burned

00:28

into this TPM that are unique to only this machine.

00:32

This becomes especially helpful if you

00:34

need some type of secure key generation

00:37

that you could use for something like full-disk encryption.

00:40

This can also securely store these keys

00:42

on your local machine.

00:44

So if you wanted to use a different set of keys

00:46

for BitLocker, you could have the TPM create and store

00:49

those keys on that system.

00:51

This is also password protected, and there's

00:53

no way to use a brute force or dictionary

00:55

attack to gain access to the information stored in your TPM.

01:00

You can think of a TPM as providing encryption functions

01:03

for a single device.

01:04

But in our data centers, we need to provide

01:07

cryptographic functions for hundreds or thousands

01:10

of devices.

01:11

For that large-scale cryptographic use,

01:13

we would want to use a Hardware Security Module, or HSM.

01:18

HSMs in large environments are usually clustered together,

01:21

and there's redundancy, such as power supplies and network

01:24

connectivity, so that you will always have access to the HSM.

01:29

Imagine having a thousand web servers in your data center

01:32

and you need someplace to securely store

01:34

all of the encryption keys for all of those servers.

01:37

In that scenario, you would use the HSM

01:39

to provide the secure storage for all of those systems.

01:43

For this large-scale cryptography,

01:45

it's more efficient if you are able to perform

01:47

these cryptographic functions in the hardware

01:50

of the device itself.

01:51

So, many HSM devices will have a separate plug-in card

01:55

or separate hardware that can connect

01:57

to the HSM that is specifically designed to perform very

02:00

fast cryptographic functions.

02:03

These devices are also specially designed

02:05

to securely store keys.

02:07

This allows you to store all of those sensitive keys

02:09

on a centralized HSM but prevents unauthorized access

02:13

to those keys.

02:14

And additional hardware such as cryptographic accelerators

02:17

can be used on an HSM, especially if the HSM needs

02:21

to perform encryption and decryption

02:23

in real time in large-scale computing environments.

02:27

So now we've got encryption keys that

02:29

are used for our web servers.

02:31

We have encryption keys for full-disk encryption

02:34

on our individual devices.

02:35

Each individual user may have their own certificates.

02:38

So we need some way to manage all of these keys.

02:42

Fortunately, we can provide this type of management

02:45

through a centralized key management system.

02:48

You can run these key management systems

02:50

on devices that are on your premises,

02:52

or it may be a cloud-based system that

02:53

can be accessed from anywhere.

02:55

This allows you to manage all of these very different keys

02:58

from one single management console.

03:01

And this also keeps all of the keys separate from the data

03:05

that you're trying to protect.

03:06

So you might create a series of keys.

03:08

Maybe it's an SSL or TLS key for a web server.

03:12

Maybe it's an SSH key to provide remote access to a console.

03:16

Or it's keys that you would use for Active Directory

03:19

or for BitLocker.

03:20

Once you create the keys, you would

03:22

associate those with specific users

03:24

in the software of the key management system.

03:26

And you can set up an automatic key rotation

03:29

so that you're constantly changing out keys

03:31

as time goes on.

03:33

This is also a great place to provide logging and reporting

03:36

of all of the keys and how you're

03:38

using them in your environment.

03:40

Here's the dashboard of the key management

03:42

system, which gives us a summary of the types of keys

03:44

that we're using.

03:45

We can see what certificate authorities have

03:47

been used, when certificates might expire,

03:50

details for licenses, and more.

03:52

If you wanted to see the keys we were using for our web servers,

03:55

we can click on SSL.

03:57

And now we can see what keys have been created

03:59

and what server they're associated with.

04:02

We can look up similar key information for SSH console

04:05

communication, where you could see

04:07

the key name, the fingerprint and other details,

04:09

and where this key might be used.

04:11

And of course, we can create reports

04:14

that can give us information on how these keys are being used,

04:17

what keys are currently active, which keys are inactive.

04:20

And we can get a summary of how often

04:22

these keys are being utilized.

04:24

When all of our data was stored on one

04:26

central mainframe computer, it was relatively

04:28

easy to provide security.

04:30

We just had to keep anyone from gaining access

04:32

to that one source of data.

04:34

But of course, today, our data is spread

04:37

across many different systems.

04:38

We have data on a laptop, a mobile phone,

04:41

on our computers at home, and many other locations.

04:44

So how do we maintain the privacy of our data,

04:46

even though we seem to be distributing this data

04:49

onto many different systems?

04:51

Another challenge we have is that as soon

04:53

as we find a secure way to store data,

04:55

the attackers find ways to gain access to that data.

04:59

It's a constant race to stay one step

05:01

ahead of people that are trying to get their hands

05:03

on your information.

05:05

Another challenge is that all of this data that we're using

05:07

is constantly changing.

05:09

So we not only need to protect and keep this data private,

05:12

but we also need ways to easily change that data at any time.

05:16

One way that we're providing this privacy of our data

05:19

is through the use of a secure enclave.

05:22

A secure enclave is a security processor

05:24

that's built into the systems that we're using.

05:27

You probably have one on your mobile phone,

05:29

perhaps even in your laptop, or even your desktop systems.

05:33

This is not considered the primary CPU of your system.

05:36

This is a separate processor whose job is solely dedicated

05:40

to the privacy of your data.

05:41

Different manufacturers will also

05:43

have different names for this security processor,

05:46

but we generally refer to it generically

05:48

as a secure enclave.

05:50

This is the technology that allows

05:51

you to keep all of your data private,

05:53

even if your phone and other devices

05:55

were to fall into the hands of someone else.

05:58

This is a separate secure processor

06:00

that has its own boot ROM.

06:01

It manages and monitors all of the processes on your system,

06:06

especially during the boot process.

06:07

It has a true random number generator.

06:10

It can do real-time encryption of all of the data

06:13

as it moves in and out of memory.

06:16

It has cryptographic keys that are built in that cannot be

06:19

changed and that can be used as a root for all of the other

06:23

cryptography on your system.

06:25

And it does AES encryption in the hardware of your device.

06:29

This is just a summary of the things

06:31

that are available inside a secure enclave.

06:34

But you can see that the power of these processors

06:36

works to keep all of your data private, regardless

06:39

of where it happens to be.