2016 mindthesec format-preserving encryption
TRANSCRIPT
Format Preserving EncryptionBruno Motta Rego
Real World
real ecosystems, data everywhere
3
real ecosystemsIn 93% of cases, it took attackers minutes or less to compromise systems; [1]
95% of web app attacks where criminals stole data were financially motivated; [1]
The median traffic of a DoS attack is 1.89 million packets per second; [1]
39% of crimeware incidents in 2015 involved ransomware. [1]
4
data everywhereVendor as a vector; [1]
More than 90% breaches had a compromise time of “days or less”; [1]
63% of confirmed data breaches involved weak, default or stolen passwords; [1]
70% of breaches involving insider misuse took months or years to discover; [1]
5
challengesPeople;
Vulnerability & Patch management;
Vendor management;
Legacy systems;
FPE
format-preserving encryption
7
NIST 800-38GApproved methods for FPE; [3]
FF1 is FFX[Radix] "Feistel-based”FF3 is BPS
Shared-key; [3]
Deterministic encryption; [3]
8
trade offsWhole database encryption; [2] • Encrypt data within DB – slows all apps down
• Separate solution for each database vendor• No separation of duties – DBA can decrypt• No security of data within applications and networks
Database column encryption; [2] • Encrypt data via trigger and stored procedure• Require schema changes• No data masking support or separation of duties
Native or traditional application-level encryption; [2] • Encrypt data itself, throughout lifecycle• Requires DB schema/app format changes• Heavy implementation cost
Weak, breakable encryption; [2] • E.g., stream ciphers, alphabetic substitution• Not secure – easily reversible by attacker• Key management challenges
9
trade offsShuffling; [2] • Shuffle existing data rows so data doesn’t match up
• Breaks referential integrity• Can still leak data
Data tables and rules; [2] • Consistently map original data to fake data• Allows for referential integrity, reversibility• Security risks due to use of look-up tables
10
choicesGuessing attacks;
Use Case
12
credit card number
13
othersCustomer Services;
Anti-Fraud;
Risk Intelligence;
OBRIGADO!Bruno Motta Regohttps://twitter.com/brunomottarego
15
references[1] 2016 Data Breach Investigation Report (DBIR 2016). Verizon, Apr 2016.
[2] Streamlining Information Protection Through a Data-centric Security Approach.
[3] NIST SP 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
[4] Ciphers with Arbitrary Finite Domains.