You are on page 1of 34

Basa, Angelica Rose C. Bautista, Cecille Loie G. Ricafrente, Ma. Giezel M.

Basa, Angelica Rose C. Bautista, Cecille Loie G. Ricafrente, Ma. Giezel M.

a technique to code and scramble data to prevent them from being read without authorization. conversion of data into a secret code for storage in databases and transmission over networks.

- Original message - Coded message

Cleartext

Ciphertext

Key - Mathematical value that sender select Algorithm

- A mathematical procedure for performing encryption on data.

Encryption can make UNIX more secure (original message)

M-itM-@g^B^?^B?^NM-XM-vZIMU_h^X^$kM-^^sI^^M-f1M-^ZM-jM-gBM-6M>^@M-"=^M-^JM-7M--M-^ (ciphertext)

The secrecy of the key. The difficulty of guessing the key or trying out all possible keys. Longer keys are generally harder to guess or find. The difficulty of inverting the encryption algorithm without knowing the encryption key

It begun with a recent terrorist plot that was thwarted by breaking into encrypted files on a laptop obtained during a criminal arrest and then goes back to the beginnings of using secret coded messages.

Enciphered clay tablet(1500 BC)

Early cipher disk

Famous Zimmerman coded telegram

Sample of modern encrypted text

Private Key Encryption


o uses

a single key known to both sender and receiver of the message. AES (Advanced Encryption Standard) and Triple-DES (Data Encryption Standard)

o includes

Key

Cleartext Message

Encryption Program

Ciphertext

Communications System

Cleartext Message

Encryption Program

Ciphertext

Communications System

Key

Key 1

Cleartext Message

Encryption Program

Ciphertext Message

Encryption Program

Key 2

Transmission

Ciphertext Message

Encryption Program
Key 3

Ciphertext Message

Key 1

Cleartext Message

Encryption Program Ciphertext Message

Ciphertext Message Encryption Program


Key 3

Decoding Program Garbled Message

Key 2

Transmission

Advantages

Simple Encrypt and decrypt your own files Fast Uses less computer resources Prevents widespread message security compromise

Disadvantages

Need for secure channel for secret key exchange Too many keys Origin and authenticity of message cannot be guaranteed

Public Key Encryption


o

uses two different keys: one for encoding messages and other for decoding them. o each recipient has a private key that is kept secret and a public key that is published.

Sender Locations
Sender A
Cleartext Message A Public Key Encryption Program Ciphertext Message A

Transmit Message

Receiver Locations

Cleartext Message A Secure Private Key Decryption Program Cleartext Message B

Sender B
Cleartext Message B

Public Key Encryption Program Ciphertext Message B

Sender C
Cleartext Message C

Public Key Encryption Program Ciphertext Message C Cleartext Message C

Advantages Convenience Provides for message authentication Detection of tampering Provide for nonrepudiation

Disadvantages Public keys must be authenticated Slow Uses up more computer resources Widespread security compromise is possible Loss of private key is irreparable

Public Key Infrastructure


o

the underlying technical and institutional framework that allows public key encryption technology to be deployed.

Digital Signature
o

electronic authentication that cannot be forged. o ensures that the message that the sender transmitted was not tampered with after the signature was applied.

Digital Certificate
o

contains the digital signature and other identifying information about the person or organization to whom or which the signature pertains.

Certificate Authority
o trusted third party

Secure Sockets Layer


o

Secure Sockets Layer (SSL) is the de facto encryption standard for e-commerce. Here are some common features:

o It does not require user effort, as the need to encrypt is

determined by the web site being accessed. o It provides end-to-end encryption between browsers and servers and can be used to authenticate servers and clients. o It can encrypt, authenticate and validate all protocols supported by SSL-enabled browsers, such as File Transfer Protocol and web-based e-mail.

Electronic Commerce Electronic Mail Virtual Private Network Wireless Network Stored Data

Encryption can protect information stored on your computer from unauthorized access - even from people who otherwise have access to your computer system. Encryption can protect information while it is in transit from one computer system to another. Encryption can be used to deter and detect accidental or intentional alterations in your data. Encryption can be used to verify whether or not the author of a document is really who you think it is.

cannot prevent an attacker from deleting your data altogether. An attacker can compromise the encryption program itself. The attacker might modify the program to use a key different from the one you provide, or might record all of the encryption keys in a special file for later retrieval. An attacker might find a previously unknown and relatively easy way to decode messages encrypted with the algorithm you are using. An attacker could access your file before it is encrypted or after it is decrypted. relies on the encryption key. the overhead it takes to encrypt and decrypt the messages, especially if a digital certificate is involved.

Access control is a key control area in any audit that involves information systems, and encryption can provide strong access controls.

Financial Statement Audits


Effect of Encryption

Management Assertion

Existence or occurrences prevents unauthorized system access to record transactions that did not take place or assets that do not exist. prevents unauthorized alteration of accounting records to change assets or liabilities

Completeness
Accuracy Rights and obligations Valuation Presentation and disclosures

prevents unauthorized system access to remove recorded transactions


prevents unauthorized system access to change recorded transactions prevents unauthorized alteration of contracts in electronic format prevents unauthorized alteration of loan reserve and inventory activities prevents unauthorized alteration of financial statement information.

Internal and Value-for-money Audits


Effect of Encryption prevents unauthorized system access to confidential or personal information

Managements Assertion Confidentiality and privacy

Effectiveness and efficiency

prevents unauthorized alteration of system functions

Other Attest Audits


Effect of Encryption prevents unauthorized access to systems and information prevents unauthorized system access to take record transactions that did not take place or assets that do not exist prevents unauthorized alteration of transaction records

Management Assertion Security Transaction integrity

Confidentiality and privacy


Availability

prevents unauthorized system access to confidential or personal information


prevents unauthorized access to system and networks to help preserve continuity of service

Other Attest Audits


Effect of Encryption digital signatures provide assurance that transactions were actually executed by the purported party prevents unauthorized change of disclosed information prevents authorized change to source code and documentation that inhibits system maintenance

Management Assertion Nonrepudiation

Disclosure

Maintability

Audit

to

ensure the protection of data stored and transmitted. to assess the effectiveness of encryption to support management assertions

Objective

Audit Procedures
Review the organization's information security policy to determine whether it provides sufficient guidance in information classification and application of encryption. Review and test the encryption software to assess whether it adequately supports the information security policy and information classification. Review and test key management procedures to assess their adequacy in supporting the information security policy. Review the points of decryption and assess whether data custodians and owners are aware of the need for compensating controls. Review user procedures and interview selected users to determine whether encryption is effectively applied.

Audit Procedures

Review contracts with certificate authorities and other service organizations to assess whether responsibilities and obligations are clearly understood. Where applicable, review the external control assurance report on CAs and other service organizations. Review the extent of deployment of encryption in relation to statutory requirements and expectations. Review procedures and infrastructure controls for wireless networks to assess whether encryption provides comparable security wired networks. Review procedures and infrastructure controls for mobile devices to assess whether encryption provides comparable security to workstations.

Audit Conclusion

Summary Scope and limitations Methods and tools Outcome of the audit Recommendations

Movie Clips from Da Vinci Code

Movie Clips from Skyfall


Security matters