Crypto questions
R1. Describe four types of secrecy practiced by enterprises.
Company’s secrecy falls into four categories those are obligations, trade secrets, managing publicity and secrecy culture. The obligation is when a company has the legal or contractual obligations to keep certain types of information a secret like health care records, or any information that might affect the company’s stock. A trade secret is when a company keeps the certain information a secret that might give their competitors a commercial advantage. Like items that might be getting a patent or some items that cannot get a patent. Managing publicity speaks for itself withholding information from the public. Secrecy culture is when some companies have a tradition of keeping their internal activities a secret, even without compelling the business or legal reasons to do so.
R2. Describe two techniques to help decrease the insider threat.
Monitoring people is a way to get them to behave especially if they think someone is always watching them. Cashiers in retail stores know this all too well, they know that someone is always watching that drawer of cash every time it opens and if you’re missing a certain amount of money at the end of the day you will be watched carefully until they find where the money went. Job rotation this is when you switch job titles and duties on a regular basis so that you can’t find glitches and expose them in large quantities or at all in time.
R3. Which headers are left in plaintext when we use link encryption? Network encryption? Application encryption?
A network encryption because it is the only way you can route a packet through protocol stacks is if the appropriate packet headers remain in plaintext.
R4. Explain how key wrapping works on a network. Compare network-based key wrapping with file-based key wrapping.
Key wrapping uses a KEK to encrypt the key you would distribute. When you encrypt the contents of a certain file you would encrypt it with a content encrypting key ”CEK”. Then you wrap the CEK with a key that is encrypting key to share it. When you want to encrypt the network traffic, you might choose to use something a bit different like encrypting network traffic with a traffic encrypting key and then you wrap the TEK with a key encrypting key to share it.
R1. Describe four types of secrecy practiced by enterprises.
Company secrecy falls roughly into four categories:
1. Obligations. Companies may have legal or contractual obligations to keep certain types of information secret. Legal obligations address employee privacy, health records privacy, and information that could affect a public company’s stock price. Contractual obligations may include trade secrets shared with others, licensed software management, and rules for handling credit card transactions.
2. Trade secrets. Companies keep information secret that would give competitors a commercial advantage. These include inventions and processes that may be subject to patent or unpatentable techniques that would benefit competitors. Other trade secrets include business details that might help competitors anticipate price decisions or identify customers that a competitor might try to lure away.
3. Managing publicity. As noted previously, companies may keep things secret that might not yield positive publicity.
4. Secrecy culture. Some companies have a tradition of keeping their internal activities secret, even without compelling business or legal reasons to do so.
(Smith 569-570)
R2. Describe two techniques to help reduce the insider threat.
There are three strategies for reducing the risks of insider threats:
1. Monitoring. People are more likely to behave if they think they are being watched. Monitoring may double-check periodic results, like the cash held by cashiers, or may scan for unauthorized activity, like access to nonbusiness websites during business hours.
2. Two-person or multiperson control. Most employee misbehavior is by individuals, not conspiracies. Companies can greatly reduce the risk by involving two or more people in important transactions. This may be procedural, as with checks for accounts payable, in which one person makes the list of checks, another print the checks, and third signs them. This also may be implemented with automated systems, as with nuclear missile launching or automated workflow systems.
This “Two person concept” is also used to work on nuclear weapons it also called the “no lone zone”.
R3. Which headers are left in plaintext when we use link encryption? Network encryption? Application encryption?
The only way we can route a packet through protocol stacks is if the appropriate packet headers remain in plaintext. (Smith 623)
Lower application layer encryption with SSL. The security boundary includes the user’s computer, the server’s computer, and the application processes that handle plaintext, encryption, or decryption. (Smith 666)
With 802.11 link encryption, the Link Header and WPA2 Header are left in plaintext.
In network encryption with IPsec protection the Link Header, IP Header, and IPsec Header are left in plaintext.
Application encryption has the Link Header, IP Header, TCP/UDP Header, Application Header and Crypto Header all in plaintext.
R4. Explain how key wrapping works on a network. Compare network-based key wrapping with file-based key wrapping.
Key wrapping uses a KEK to encrypt the key we distribute. When encrypting the contents of a file, we encrypt it with a content encrypting key (CEK). We then wrap the CEK with a key encrypting key (KEK) when sharing it. When encrypting network traffic, we use slightly different terms; we encrypt network traffic with a traffic encrypting key (TEK). We then wrap the TEK with a KEK when sharing it.