A Seat Belt for Data Practical Use of Encryption in Teradata Systems Jim Browning Enterprise Security Architect Teradata Labs #TDPARTNERS16 Sept 11,2016 GEORGIA WORLD CONGRESS CENTER “Encryption is the equivalent of a seat belt for data.” -- Andy Cordial, Managing Director, Origin Storage 2 Agenda • Key Encryption Drivers • Cryptographic Technology Primer • Important Considerations • Use of Encryption in Teradata Systems 3 Drivers for the Use of Encryption Types of Data Requiring Protection Credit Card Information Protected Health Information > Credit Card Numbers (PAN) > Identifiable Patient Data > Service Codes > Medical Record Numbers > Expiration Dates Corporate Financial Data Personal Identifying Information > Non-public Information > Social Security Numbers > Tax Identifiers Human Resources Data > Driver’s License Numbers > Payroll Information > Date of Birth > Performance Ratings Consumer Financial Data Customer and Prospect Data > Account Numbers Trade Secrets and Intellectual > PINs Property 4 Drivers for the Use of Encryption Standards and Regulations • Payment Card Industry (PCI) Data Security Standard • HIPAA Privacy Rule • U.S. State Security Breach Notification Laws • EU General Data Protection Regulation (GDPR) 5 Agenda • Key Encryption Drivers • Cryptographic Technology Primer • Important Considerations • Use of Encryption in Teradata Systems 6 “Any sufficiently advanced technology is indistinguishable from magic.” -- Sir Arthur C. Clarke 7 Symmetric Key Cryptography • Symmetric Key Cryptography – Cryptography in which the same key is used for encryption and decryption • Single Key Cryptography • Secret Key Cryptography • Shared Key Cryptography Hello World! B$s70x2G0&vC1lZA Hello World! 8 Symmetric Key Cryptography • Symmetric Key Algorithms – Data Encryption Standard (DES) – Triple DES (3DES) – Blowfish – Advanced Encryption Standard (AES) – Twofish – International Data Encryption Standard (IDEA) – RC5 9 Symmetric Key Cryptography • Advanced Encryption Standard (AES) – Standardized by FIPS in 2001 (FIPS Pub 197) – Uses 128-bit, 196-bit, or 256-bit keys – Operates on 16-byte data blocks – De facto standard for commercial and government applications Hello World! Js7%qaQ1b8$@nPl0 Hello World! 10 Asymmetric Key Cryptography • Asymmetric Key Cryptography – Cryptography in which a pair of mathematically related keys are used for encryption and decryption • Public Key Cryptography • Data encrypted using one key (e.g., public key) can only be decrypted using the other key (e.g., private key) in the pair - and vice versa Hello World! 9vDf4$1j&Fqo*cR1 Hello World! 11 Asymmetric Key Cryptography • Asymmetric Key Algorithms – RSA (Rivest Shamir Adleman) – Digital Signature Algorithm (DSA) – Elliptic Curve Cryptography (ECC) – RSA and DSA are used to provide confidentiality for secure communications protocols such as Transport Layer Security (TLS) and Secure Shell (SSH) 12 Hash Cryptography • Hash Cryptography – Cryptography in which a mathematical algorithm is applied to produce a condensed representation of data • No key is used • Hash output is a fixed length - regardless of the size of input data • It is computationally infeasible to find the data which corresponds to a given hash, or to find different data that produces the same hash • Hash is one-way; plain text cannot be recreated from the hash Js7%qaQ1b8$@nPl0 Hello World! 9vDf4$1j&Fqo*cR1 B$s70x2G0&vC1lZA 13 Hash Cryptography • Hash Cryptographic Algorithms – Message Digest Algorithm 5 (MD5) • Produces 128-bit hash – Secure Hash Algorithm (SHA) • SHA-1: Produces 160-bit hash • SHA-256: Produces 256-bit hash • SHA-512: Produces 512-bit hash – Applications for hashing • Password storage • Message integrity • Digital signatures 14 Secret Key Negotiation • Diffie-Hellman Key Negotiation Protocol – Allows client and server to agree on a secret key over an insecure communication channel – Protocol uses two public values • p is a prime number • g is an integer less than p with the property that for every number n between 1 and p-1 inclusive, there is a power k of g such that n = gk mod p – Security is provided by the discrete logarithm problem • It is computationally infeasible to calculate the shared secret key when the prime p is sufficiently large 15 Secure Communications Protocols • Transport Layer Security (TLS) – An industry standard protocol for transmitting data in a secure manner over a network • Supersedes older Secure Sockets Layer (SSL) protocol – Defines methods for authentication, data encryption, and message integrity – Underlies protocols such as https, ldaps, ftps, pop3s, etc. • Secure Shell (SSH) – Establishes a cryptographic tunnel between two network hosts – Secures remote logons, file transfers and remote command executions SSH Client SSH Server 16 Agenda • Key Encryption Drivers • Cryptographic Technology Primer • Important Considerations • Use of Encryption in Teradata Systems 17 “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” -- Dr. Eugene Spafford, Professor of Computer Science, Purdue University 18 Important Considerations • Performance • Table Size Expansion • Encryption Key Security • User/Application Transparency 19 Performance • Cryptographic operations add performance overhead – Function of hardware generation and speed of processors • Cryptographic operations are CPU-intensive – Function of cryptographic algorithm and key strength – Function of size of data and/or number of columns encrypted – Function of the characteristics of queries • Encrypted indexes, range searches, joins on encrypted columns – Function of the frequency of access – Function of table skew (affects parallel execution of cryptographic functions) 20 Performance Millions Crypto Operations per Second AES-128 AES-192 AES-256 Hundreds 3DES Size of Data 21 Table Size Expansion • Encrypted data (ciphertext) requires more storage space than plain text data – Function of the size of original columns • Padding required for the selected cryptographic algorithm (e.g., 8-byte block, 16- byte block) Original Data Padding (2 bytes) (14 bytes) Original Data Padding (12 bytes) (4 bytes) Ciphertext (16 bytes) – Function of the number of columns encrypted 22 – Loss of multi-value compression (MVC) benefits Encryption Key Security • Encryption keys must be securely managed – Strong keys should be securely and randomly generated – Keys must be protected wherever stored (disk or memory) – Keys should be distributed in a secure manner – Access to keys should be restricted – Keys should be periodically rotated – Keys should be archived with encrypted data “Random numbers should not be generated with a method chosen at random.” -- Donald E. Knuth, The Art of Computer Programming, Volume 2: Seminumerical Algorithms 23 User/Application Transparency • Use of encryption should be largely transparent to users and applications – No transparency issues with encryption of network traffic – Cryptographic operations on table data can be largely transparent through the use of views and triggers • Flexibility needed to directly invoke functions as required to optimize queries – Use of encrypted data types further improves transparency • Limits on type functionality often restrict use – e.g., no statistics collection, cannot be part of an index 24 Agenda • Key Encryption Drivers • Cryptographic Technology Primer • Important Considerations • Use of Encryption in Teradata Systems 25 “Security doesn't matter until all of a sudden it does - and then it *really* matters.” -- Ben Adida, Mozilla Architect 26 Use of Encryption within Teradata Systems • Securing Remote Support Connectivity • Securing Network Connections • Securing Stored Passwords • Securing Stored Data • Securing Backups and Archives 27 Secure Remote Support Connectivity Teradata ServiceConnectTM • No Virtual Private Network (VPN) or public IP address required • Firewall-friendly – all connections initiated from Service Workstation (SWS) on customer side • Connections secured using HTTPS and 128-bit TLS encryption Customer Teradata ServiceConnect™ ServiceConnect Enhanced Internet Policy Server Enterprise Optional 28 Secure Remote Support Connectivity Teradata ServiceConnectTM • Outbound Connections – TLS port 443 • Remote connectivity • Teradata Vital Infrastructure (TVI) alerts, events, and reports • Crashdump uploads • ServiceConnectTM Enhanced – Axeda Policy Server • Enforce restrictions on remote support activities performed by Teradata – Logon access – File upload/download – Command execution • Audit remote support activities performed by Teradata 29 Network Traffic Encryption • Network Traffic Encryption – Provides confidentiality for sensitive data when transmitted over untrusted networks – Protects against compromise by network sniffers – Examples • HTTP over TLS to secure communications to web services • LDAP over TLS to secure communications to authentication services • Teradata Generic Security Services (TDGSS) to secure communications between Teradata Clients and Database 30 Network Traffic Encryption HTTP over TLS (https) • Secures browser-based connections to web-based services – TDput – port 8443 • Use TDput AllowedCiphers file to manage encryption algorithms allowed for connections – Viewpoint – port 443 or 9443 • Use Certificates portlet to create and install TLS certificate – Create and install self-signed certificate – Create certificate signing request and install CA-signed certificate • Use General portlet to enable Require Access