Professional Documents
Culture Documents
a technique to code and scramble data to prevent them from being read without authorization. conversion of data into a secret code for storage in databases and transmission over networks.
Cleartext
Ciphertext
M-itM-@g^B^?^B?^NM-XM-vZIMU_h^X^$kM-^^sI^^M-f1M-^ZM-jM-gBM-6M>^@M-"=^M-^JM-7M--M-^ (ciphertext)
The secrecy of the key. The difficulty of guessing the key or trying out all possible keys. Longer keys are generally harder to guess or find. The difficulty of inverting the encryption algorithm without knowing the encryption key
It begun with a recent terrorist plot that was thwarted by breaking into encrypted files on a laptop obtained during a criminal arrest and then goes back to the beginnings of using secret coded messages.
a single key known to both sender and receiver of the message. AES (Advanced Encryption Standard) and Triple-DES (Data Encryption Standard)
o includes
Key
Cleartext Message
Encryption Program
Ciphertext
Communications System
Cleartext Message
Encryption Program
Ciphertext
Communications System
Key
Key 1
Cleartext Message
Encryption Program
Ciphertext Message
Encryption Program
Key 2
Transmission
Ciphertext Message
Encryption Program
Key 3
Ciphertext Message
Key 1
Cleartext Message
Key 2
Transmission
Advantages
Simple Encrypt and decrypt your own files Fast Uses less computer resources Prevents widespread message security compromise
Disadvantages
Need for secure channel for secret key exchange Too many keys Origin and authenticity of message cannot be guaranteed
uses two different keys: one for encoding messages and other for decoding them. o each recipient has a private key that is kept secret and a public key that is published.
Sender Locations
Sender A
Cleartext Message A Public Key Encryption Program Ciphertext Message A
Transmit Message
Receiver Locations
Sender B
Cleartext Message B
Sender C
Cleartext Message C
Advantages Convenience Provides for message authentication Detection of tampering Provide for nonrepudiation
Disadvantages Public keys must be authenticated Slow Uses up more computer resources Widespread security compromise is possible Loss of private key is irreparable
the underlying technical and institutional framework that allows public key encryption technology to be deployed.
Digital Signature
o
electronic authentication that cannot be forged. o ensures that the message that the sender transmitted was not tampered with after the signature was applied.
Digital Certificate
o
contains the digital signature and other identifying information about the person or organization to whom or which the signature pertains.
Certificate Authority
o trusted third party
Secure Sockets Layer (SSL) is the de facto encryption standard for e-commerce. Here are some common features:
determined by the web site being accessed. o It provides end-to-end encryption between browsers and servers and can be used to authenticate servers and clients. o It can encrypt, authenticate and validate all protocols supported by SSL-enabled browsers, such as File Transfer Protocol and web-based e-mail.
Electronic Commerce Electronic Mail Virtual Private Network Wireless Network Stored Data
Encryption can protect information stored on your computer from unauthorized access - even from people who otherwise have access to your computer system. Encryption can protect information while it is in transit from one computer system to another. Encryption can be used to deter and detect accidental or intentional alterations in your data. Encryption can be used to verify whether or not the author of a document is really who you think it is.
cannot prevent an attacker from deleting your data altogether. An attacker can compromise the encryption program itself. The attacker might modify the program to use a key different from the one you provide, or might record all of the encryption keys in a special file for later retrieval. An attacker might find a previously unknown and relatively easy way to decode messages encrypted with the algorithm you are using. An attacker could access your file before it is encrypted or after it is decrypted. relies on the encryption key. the overhead it takes to encrypt and decrypt the messages, especially if a digital certificate is involved.
Access control is a key control area in any audit that involves information systems, and encryption can provide strong access controls.
Management Assertion
Existence or occurrences prevents unauthorized system access to record transactions that did not take place or assets that do not exist. prevents unauthorized alteration of accounting records to change assets or liabilities
Completeness
Accuracy Rights and obligations Valuation Presentation and disclosures
Disclosure
Maintability
Audit
to
ensure the protection of data stored and transmitted. to assess the effectiveness of encryption to support management assertions
Objective
Audit Procedures
Review the organization's information security policy to determine whether it provides sufficient guidance in information classification and application of encryption. Review and test the encryption software to assess whether it adequately supports the information security policy and information classification. Review and test key management procedures to assess their adequacy in supporting the information security policy. Review the points of decryption and assess whether data custodians and owners are aware of the need for compensating controls. Review user procedures and interview selected users to determine whether encryption is effectively applied.
Audit Procedures
Review contracts with certificate authorities and other service organizations to assess whether responsibilities and obligations are clearly understood. Where applicable, review the external control assurance report on CAs and other service organizations. Review the extent of deployment of encryption in relation to statutory requirements and expectations. Review procedures and infrastructure controls for wireless networks to assess whether encryption provides comparable security wired networks. Review procedures and infrastructure controls for mobile devices to assess whether encryption provides comparable security to workstations.
Audit Conclusion
Summary Scope and limitations Methods and tools Outcome of the audit Recommendations