Sunday, November 27, 2011

Data Encryption Standard (DES) Algorithm and its Applications

The basic DES algorithm can be used for both data encryption and data authentication.Here we will look into the Encryption aspect. I will follow another post with authentication..
Data Encryption: It is easy to see how the DES may be used to encrypt a 64-bit plaintext input to a 64-bit cipher text output, but data are seldom limited to 64bits. In order to use DES in a variety of cryptographic applications, four modes of operation were developed:
  • electronic codebook (ECB);
  • cipher feedback (CFB);
  • cipher block chaining (CBC); and
  • output feedback (OFB)
Each mode has itsadvantages and disadvantages.
ECB is excellent for encrypting keys;
CFB is typicallyused for encrypting individual characters; and

OFB is often used for encrypting satellite communications.
Both CBC and CFB can be used to authenticate data. These modes of operation permit the use of DES for interactive terminal to host encryption, cryptographic key encryption for automated key management applications, file encryption,mail encryption, satellite data encryption, and other applications. In fact, it is extremely difficult, if not impossible, to find a cryptographic application where the DES cannot be applied.

SSL Transaction

SSL transaction or Handshake process

Thursday, November 24, 2011

Key Management Plan Review

I mentioned, how to write a Key Management Plan in my previous post with guidelines on what to be included and what are the keys aspects that needed to be addressed as part of Key Life cycle management. In this post, i will talk about the "what to look for" within the Key management plan while reviewing. Having a standard guidelines on Key Management plan review, will ensure the plan has adequate information for Key administrator to use once when the keys are sent to production
Key Generation Process

Provide dates; location details if appropriate 
§  Date and Time
§  Required attendees (CBA and Non CBA)
§  Key Register (If required)
§  List of Actions and Outcome
Description of how the key(s) will be sourced. This may be via another agency or may be key(s) generation processes or equipment
How the key is to be physically loaded into the hardware and/or software cryptographic system
Describes how the key(s) are to be used
1.       When encryption and decryption occurs;
2.      What data is to be encrypted and decrypted; and
3.      The keys and algorithms are to be used in these transformations
Crypto period(s) for the various key
Details of how the key(s) will be electronically and physically stored
Key Accounting and Distribution
Detail the number of copies of key to be produced and distributed to the various parties
If appropriate, detail how key(s) are to be destroyed
Details on how keys will be distributed electronically or physically. This should include security details of courier(s), if used, as well as how the couriers will handle contingencies such as loss or compromise of keys
Provide explanation/procedure on the circumstance under which a key may be destroyed
Key archiving usually requires provisions for moving the key to new storage media when the old media are no longer readable because of aging of, or technical changes to, the media readers
Key Contingency
Describe the conditions under which a compromise of cryptographic key material should be declared
Detail the procedures for recovery of keys and encrypted material
Detail the key compromise procedure on how the incident will be investigated and how to escalate the incident.
Key Retrieval
The KMP design shall specify how, and the circumstances under which, keys and their bound metadata may be retrieved from a key database storage facility
Maintenance Schedule
Detail the procedures for testing or verification of software upgrades to critical cryptographic services in either the hardware (through firmware) or software
Key Resources
List of parties involved with their contact details.Depending on the criticality  verify the names of backup custodians as necessary
Key Conveyance form
Does the KMP covers on agreed format of Key exchange. All parties involved in key Conveyance exchange/Acknowledgement and Key Destroy.