From the course: CompTIA Advanced Security Practitioner (CASP+) (CAS-004) Cert Prep

Privacy and confidentiality

From the course: CompTIA Advanced Security Practitioner (CASP+) (CAS-004) Cert Prep

Start my 1-month free trial Buy for my team

Privacy and confidentiality

- Let's talk about privacy and confidentiality requirements and how they can be met using cryptography and public key infrastructure. First, what is privacy? When dealing with data security, we consider privacy to have been achieved if we have the ability to protect sensitive information about somebody's personal identifiable information. Now, confidentiality is considered to be more broad than privacy because we expand our definition to cover protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft of any sensitive information. Often though, people are going to use these two terms interchangeably in the cybersecurity world of privacy and confidentiality. Now, in order to achieve privacy or confidentiality, we need to put security controls in place when we design our security architectures for our enterprise networks. The most common technology used to protect privacy and confidentiality of our data is to implement encryption using cryptography and public key infrastructure. Now, cryptography is broken down into two main types based upon the type of keys that are used to protect the data. These are symmetric key encryption and asymmetric key encryption. With symmetric key encryption, the same key is used for both the person transmitting or storing the data and the person who receives or reads the data. For example, if you're storing files on a BitLocker encrypted hard drive on a Windows computer, you're using symmetric encryption to store those files on the drive and again to read those files from the drive and you're doing that with the same key. Asymmetric encryption instead uses two keys, a public key and a private key, which is supported by a public key infrastructure or PKI system. When you send an email to a colleague at work and encrypt it, you're usually doing this using an asymmetric key. Now, first, your email client is going to take the message that you want to send, and it's going to encrypt it using the recipient's public key, which it gets by going to the PKI system. Then the message is sent over to the receiver, and once it's received, their email client will decrypt that message using their own private key. Because each person using PKI has both a public and a private key, this key pair can be used to encrypt and decrypt the contents of a message. If the public key is used to encrypt it, then the matching private key must be used to decrypt it. This is how privacy and confidentiality is maintained because only the individuals themself have a copy of their private key, but everybody can access their public key from a central authoritative server. This means only the person who's receiving it and using their private key can actually open that message and read it. Now, when might you want to use symmetric key encryption versus asymmetric key encryption as your solution? Well, a symmetric key encryption system is preferred anytime you value speed because it's about a thousand times faster than an equivalently secure asymmetric key system. If you're going to send a lot of data, using a symmetric key encryption is going to make a lot of sense because it can handle more data at any given time due to its increased speed. But if symmetric key is so wonderful, why do we even need asymmetric key encryption? Well, it comes down to the concept of key distribution. Remember, with symmetric key encryption, we're using the same key to encrypt and decrypt the data. So if I want to send an email to you and I encrypt it using a symmetric key encryption, that means I need to have a way to give you that key before I send you the email. Otherwise, you won't be able to decrypt it. Additionally, if I wanted to send an email to somebody else, let's say my friend Scott, I need to share a different key between Scott and myself. So now the two of us are able to communicate privately without you or anybody else being able to read the messages we send. So now I have two keys, one for me and you and one for me and Scott. So if I'm using symmetric key encryption for sending my emails, I'm literally going to need hundreds or thousands of different keys, and each individual key would need to be shared between me and the person I want to securely communicate with. As you can see, this gets to be really cumbersome and impractical pretty darn quickly. So instead, we use asymmetric encryption because now each person only needs to have two keys, a private key and a public key. Those public keys are well public, so anybody can have a copy of your public key. It can just be hosted on a centralized server for example. Now when I want to send you a message, I can connect to the trusted centralized server and get your public key. Then I use your public key to encrypt the message I want to send. This completely eliminates the key distribution challenges that are experienced with symmetric key encryption, but we still have the issue of speed because asymmetric encryption is a thousand times slower than symmetric key encryption for sending emails. This really isn't too big of a deal because it's an asynchronous process anyway, but for other applications, this would create a massive bottleneck in our systems. So to overcome this, we can use a hybrid solution and combine both symmetric and asymmetric solutions together. For example, let's say you want to connect to an e-commerce website like amazon.com, you're first going to get a copy of Amazon's public key from the centralized server. Your computer then chooses a long random string of numbers and encrypts that string using the public key for Amazon server. When the Amazon server receives that encrypted string, it can then use the private key that it has to decrypt it. This portion of the process is a symmetric, and we're using PKI here. Now, the server takes that random long string, and it uses that to initiate a secure encrypted connection between my client using a symmetric key encryption method and their server. Now, we have securely exchanged a symmetric key since I just created it and I already know what it is, and then I send it over using an asymmetric model so that the server also has that key using PKI. This allows us to use the slower asymmetric encryption to do our key exchange, which is relatively a small amount of data. So the slower speed isn't a major issue here, but once we both have that same shared secret, we can establish a symmetric encryption path between the client and the server and use that for the bulk of our data transfer, such as browsing on Amazon to buy a new textbook or even to watch some videos from the site. In addition to encryption, enterprise architects also use authentication mechanisms like passwords, smart cards, key fobs, biometric verification, and others to ensure only authorized people can access a particular resource on a given network. So remember, encryption is the most commonly used technology when it comes to meeting the privacy and confidentiality requirements for your security architecture. To provide this confidentiality, you need to use either a symmetric key encryption algorithm or an asymmetric key encryption algorithm where the sender of the data uses the receiver's public key to secure that data. (bright upbeat music)

Contents